Add trusted IPs in config and try to ban forwarded IP on failed login

* Add a new settings (which needs to be manually set): `security.trusted_proxies` * On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers. * If found, the client address is added in ipbans, else we do nothing. Fixes #409
author: ArthurHoaro <arthur@hoa.ro> 2016-08-03 10:36:47 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2016-11-05 14:29:52 +0100
commit: 3116d8671d388690bac1070e39d2c74d28b14f0e (patch)
tree: a310adfe8af2c0bd0c792d914dd7c26bcf9d910e /index.php
parent: 4fd053d6b29a1b6724eda17a3daddb29b1bf1ca3 (diff)
download: Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.gz
Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.zst
Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/index.php b/index.php
index f9f24895..9f50d153 100644
--- a/index.php
+++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
 function ban_loginFailed($conf)
 {
    $ip = $_SERVER['REMOTE_ADDR'];
+    $trusted = $conf->get('security.trusted_proxies', array());
+    if (in_array($ip, $trusted)) {
+        $ip = getIpAddressFromProxy($_SERVER, $trusted);
+        if (!$ip) {
+            return;
+        }
+    }
    $gb = $GLOBALS['IPBANS'];
-    if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;
+    if (! isset($gb['FAILURES'][$ip])) {
+        $gb['FAILURES'][$ip]=0;
+    }
    $gb['FAILURES'][$ip]++;
    if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
    {
author	ArthurHoaro <arthur@hoa.ro>	2016-08-03 10:36:47 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2016-11-05 14:29:52 +0100
commit	3116d8671d388690bac1070e39d2c74d28b14f0e (patch)
tree	a310adfe8af2c0bd0c792d914dd7c26bcf9d910e /index.php
parent	4fd053d6b29a1b6724eda17a3daddb29b1bf1ca3 (diff)
download	Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.gz Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.zst Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.zip

diff --git a/index.php b/index.php index f9f24895..9f50d153 100644 --- a/index.php +++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
332	function ban_loginFailed($conf)	332	function ban_loginFailed($conf)
333	{	333	{
334	$ip = $_SERVER['REMOTE_ADDR'];	334	$ip = $_SERVER['REMOTE_ADDR'];
		335	$trusted = $conf->get('security.trusted_proxies', array());
		336	if (in_array($ip, $trusted)) {
		337	$ip = getIpAddressFromProxy($_SERVER, $trusted);
		338	if (!$ip) {
		339	return;
		340	}
		341	}
335	$gb = $GLOBALS['IPBANS'];	342	$gb = $GLOBALS['IPBANS'];
336	if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;	343	if (! isset($gb['FAILURES'][$ip])) {
		344	$gb['FAILURES'][$ip]=0;
		345	}
337	$gb['FAILURES'][$ip]++;	346	$gb['FAILURES'][$ip]++;
338	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))	347	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
339	{	348	{