Add trusted IPs in config and try to ban forwarded IP on failed login

* Add a new settings (which needs to be manually set): `security.trusted_proxies` * On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers. * If found, the client address is added in ipbans, else we do nothing. Fixes #409
author: ArthurHoaro <arthur@hoa.ro> 2016-08-03 10:36:47 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2016-08-03 10:36:47 +0200
commit: 50d179183810a7b719bc10da2b9c4a95fd9dddee (patch)
tree: e669db360950025b4b6534075e940f532b0f00f3 /index.php
parent: c7a42ab1d9b21bf53cd30bc57b57789716c8711b (diff)
download: Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.gz
Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.zst
Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/index.php b/index.php
index 55b12adc..ab51fa23 100644
--- a/index.php
+++ b/index.php
@@ -318,8 +318,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
 function ban_loginFailed($conf)
 {
    $ip = $_SERVER['REMOTE_ADDR'];
+    $trusted = $conf->get('security.trusted_proxies', array());
+    if (in_array($ip, $trusted)) {
+        $ip = getIpAddressFromProxy($_SERVER, $trusted);
+        if (!$ip) {
+            return;
+        }
+    }
    $gb = $GLOBALS['IPBANS'];
-    if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;
+    if (! isset($gb['FAILURES'][$ip])) {
+        $gb['FAILURES'][$ip]=0;
+    }
    $gb['FAILURES'][$ip]++;
    if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
    {
author	ArthurHoaro <arthur@hoa.ro>	2016-08-03 10:36:47 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2016-08-03 10:36:47 +0200
commit	50d179183810a7b719bc10da2b9c4a95fd9dddee (patch)
tree	e669db360950025b4b6534075e940f532b0f00f3 /index.php
parent	c7a42ab1d9b21bf53cd30bc57b57789716c8711b (diff)
download	Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.gz Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.zst Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.zip

diff --git a/index.php b/index.php index 55b12adc..ab51fa23 100644 --- a/index.php +++ b/index.php
@@ -318,8 +318,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
318	function ban_loginFailed($conf)	318	function ban_loginFailed($conf)
319	{	319	{
320	$ip = $_SERVER['REMOTE_ADDR'];	320	$ip = $_SERVER['REMOTE_ADDR'];
		321	$trusted = $conf->get('security.trusted_proxies', array());
		322	if (in_array($ip, $trusted)) {
		323	$ip = getIpAddressFromProxy($_SERVER, $trusted);
		324	if (!$ip) {
		325	return;
		326	}
		327	}
321	$gb = $GLOBALS['IPBANS'];	328	$gb = $GLOBALS['IPBANS'];
322	if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;	329	if (! isset($gb['FAILURES'][$ip])) {
		330	$gb['FAILURES'][$ip]=0;
		331	}
323	$gb['FAILURES'][$ip]++;	332	$gb['FAILURES'][$ip]++;
324	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))	333	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
325	{	334	{