Merge pull request #623 from ArthurHoaro/security/reverse-proxy-ban

Add trusted IPs in config and try to ban forwarded IP on failed login
author: Arthur <arthur@hoa.ro> 2016-10-12 14:48:57 +0200
committer: GitHub <noreply@github.com> 2016-10-12 14:48:57 +0200
commit: adcdac1dec45090e2fa1cd4a340e91a40c7a205f (patch)
tree: e242ed8fe8f6ebf9ca02c1b4aca944f9f7bbd467 /index.php
parent: 24cfb960cfdd88255333bfb2a08d586916b460ae (diff)
parent: 50d179183810a7b719bc10da2b9c4a95fd9dddee (diff)
download: Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.gz
Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.zst
Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/index.php b/index.php
index f9f24895..9f50d153 100644
--- a/index.php
+++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
 function ban_loginFailed($conf)
 {
    $ip = $_SERVER['REMOTE_ADDR'];
+    $trusted = $conf->get('security.trusted_proxies', array());
+    if (in_array($ip, $trusted)) {
+        $ip = getIpAddressFromProxy($_SERVER, $trusted);
+        if (!$ip) {
+            return;
+        }
+    }
    $gb = $GLOBALS['IPBANS'];
-    if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;
+    if (! isset($gb['FAILURES'][$ip])) {
+        $gb['FAILURES'][$ip]=0;
+    }
    $gb['FAILURES'][$ip]++;
    if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
    {
author	Arthur <arthur@hoa.ro>	2016-10-12 14:48:57 +0200
committer	GitHub <noreply@github.com>	2016-10-12 14:48:57 +0200
commit	adcdac1dec45090e2fa1cd4a340e91a40c7a205f (patch)
tree	e242ed8fe8f6ebf9ca02c1b4aca944f9f7bbd467 /index.php
parent	24cfb960cfdd88255333bfb2a08d586916b460ae (diff)
parent	50d179183810a7b719bc10da2b9c4a95fd9dddee (diff)
download	Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.gz Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.zst Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.zip

diff --git a/index.php b/index.php index f9f24895..9f50d153 100644 --- a/index.php +++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
332	function ban_loginFailed($conf)	332	function ban_loginFailed($conf)
333	{	333	{
334	$ip = $_SERVER['REMOTE_ADDR'];	334	$ip = $_SERVER['REMOTE_ADDR'];
		335	$trusted = $conf->get('security.trusted_proxies', array());
		336	if (in_array($ip, $trusted)) {
		337	$ip = getIpAddressFromProxy($_SERVER, $trusted);
		338	if (!$ip) {
		339	return;
		340	}
		341	}
335	$gb = $GLOBALS['IPBANS'];	342	$gb = $GLOBALS['IPBANS'];
336	if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;	343	if (! isset($gb['FAILURES'][$ip])) {
		344	$gb['FAILURES'][$ip]=0;
		345	}
337	$gb['FAILURES'][$ip]++;	346	$gb['FAILURES'][$ip]++;
338	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))	347	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
339	{	348	{