aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2016-08-03 10:36:47 +0200
committerArthurHoaro <arthur@hoa.ro>2016-08-03 10:36:47 +0200
commit50d179183810a7b719bc10da2b9c4a95fd9dddee (patch)
treee669db360950025b4b6534075e940f532b0f00f3 /index.php
parentc7a42ab1d9b21bf53cd30bc57b57789716c8711b (diff)
downloadShaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.gz
Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.zst
Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.zip
Add trusted IPs in config and try to ban forwarded IP on failed login
* Add a new settings (which needs to be manually set): `security.trusted_proxies` * On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers. * If found, the client address is added in ipbans, else we do nothing. Fixes #409
Diffstat (limited to 'index.php')
-rw-r--r--index.php11
1 files changed, 10 insertions, 1 deletions
diff --git a/index.php b/index.php
index 55b12adc..ab51fa23 100644
--- a/index.php
+++ b/index.php
@@ -318,8 +318,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
318function ban_loginFailed($conf) 318function ban_loginFailed($conf)
319{ 319{
320 $ip = $_SERVER['REMOTE_ADDR']; 320 $ip = $_SERVER['REMOTE_ADDR'];
321 $trusted = $conf->get('security.trusted_proxies', array());
322 if (in_array($ip, $trusted)) {
323 $ip = getIpAddressFromProxy($_SERVER, $trusted);
324 if (!$ip) {
325 return;
326 }
327 }
321 $gb = $GLOBALS['IPBANS']; 328 $gb = $GLOBALS['IPBANS'];
322 if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0; 329 if (! isset($gb['FAILURES'][$ip])) {
330 $gb['FAILURES'][$ip]=0;
331 }
323 $gb['FAILURES'][$ip]++; 332 $gb['FAILURES'][$ip]++;
324 if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) 333 if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
325 { 334 {