3 files changed, 94 insertions, 1 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index 27a39d3d..e705cfd6 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
    }
    return index_url($server);
 }
+/**
+ * Retrieve the initial IP forwarded by the reverse proxy.
+ *
+ * Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
+ *
+ * @param array $server     $_SERVER array which contains HTTP headers.
+ * @param array $trustedIps List of trusted IP from the configuration.
+ *
+ * @return string|bool The forwarded IP, or false if none could be extracted.
+ */
+function getIpAddressFromProxy($server, $trustedIps)
+{
+    $forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
+    if (empty($server[$forwardedIpHeader])) {
+        return false;
+    }
+    $ips = preg_split('/\s*,\s*/', $server[$forwardedIpHeader]);
+    $ips = array_diff($ips, $trustedIps);
+    if (empty($ips)) {
+        return false;
+    }
+    return array_pop($ips);
+}
diff --git a/index.php b/index.php
index f9f24895..9f50d153 100644
--- a/index.php
+++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
 function ban_loginFailed($conf)
 {
    $ip = $_SERVER['REMOTE_ADDR'];
+    $trusted = $conf->get('security.trusted_proxies', array());
+    if (in_array($ip, $trusted)) {
+        $ip = getIpAddressFromProxy($_SERVER, $trusted);
+        if (!$ip) {
+            return;
+        }
+    }
    $gb = $GLOBALS['IPBANS'];
-    if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;
+    if (! isset($gb['FAILURES'][$ip])) {
+        $gb['FAILURES'][$ip]=0;
+    }
    $gb['FAILURES'][$ip]++;
    if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
    {
diff --git a/tests/HttpUtils/GetIpAdressFromProxyTest.php b/tests/HttpUtils/GetIpAdressFromProxyTest.php
new file mode 100644
index 00000000..6a74a45a
--- /dev/null
+++ b/tests/HttpUtils/GetIpAdressFromProxyTest.php
@@ -0,0 +1,58 @@
+<?php
+require_once 'application/HttpUtils.php';
+/**
+ * Unitary tests for getIpAddressFromProxy()
+ */
+class GetIpAdressFromProxyTest extends PHPUnit_Framework_TestCase {
+    /**
+     * Test without proxy
+     */
+    public function testWithoutProxy()
+    {
+        $this->assertFalse(getIpAddressFromProxy(array(), array()));
+    }
+    /**
+     * Test with a single IP in proxy header.
+     */
+    public function testWithOneForwardedIp()
+    {
+        $ip = '1.1.1.1';
+        $server = array('HTTP_X_FORWARDED_FOR' => $ip);
+        $this->assertEquals($ip, getIpAddressFromProxy($server, array()));
+    }
+    /**
+     * Test with a multiple IPs in proxy header.
+     */
+    public function testWithMultipleForwardedIp()
+    {
+        $ip = '1.1.1.1';
+        $ip2 = '2.2.2.2';
+        $server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2);
+        $this->assertEquals($ip2, getIpAddressFromProxy($server, array()));
+        $server = array('HTTP_X_FORWARDED_FOR' => $ip .' ,   '. $ip2);
+        $this->assertEquals($ip2, getIpAddressFromProxy($server, array()));
+    }
+    /**
+     * Test with a trusted IP address.
+     */
+    public function testWithTrustedIp()
+    {
+        $ip = '1.1.1.1';
+        $ip2 = '2.2.2.2';
+        $server = array('HTTP_X_FORWARDED_FOR' => $ip);
+        $this->assertFalse(getIpAddressFromProxy($server, array($ip)));
+        $server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2);
+        $this->assertEquals($ip2, getIpAddressFromProxy($server, array($ip)));
+        $this->assertFalse(getIpAddressFromProxy($server, array($ip, $ip2)));
+    }
+}

diff --git a/application/HttpUtils.php b/application/HttpUtils.php index 27a39d3d..e705cfd6 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
355	}	355	}
356	return index_url($server);	356	return index_url($server);
357	}	357	}
		358
		359	/**
		360	* Retrieve the initial IP forwarded by the reverse proxy.
		361	*
		362	* Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
		363	*
		364	* @param array $server $_SERVER array which contains HTTP headers.
		365	* @param array $trustedIps List of trusted IP from the configuration.
		366	*
		367	* @return string\|bool The forwarded IP, or false if none could be extracted.
		368	*/
		369	function getIpAddressFromProxy($server, $trustedIps)
		370	{
		371	$forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
		372	if (empty($server[$forwardedIpHeader])) {
		373	return false;
		374	}
		375
		376	$ips = preg_split('/\s,\s/', $server[$forwardedIpHeader]);
		377	$ips = array_diff($ips, $trustedIps);
		378	if (empty($ips)) {
		379	return false;
		380	}
		381
		382	return array_pop($ips);
		383	}


diff --git a/index.php b/index.php index f9f24895..9f50d153 100644 --- a/index.php +++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
332	function ban_loginFailed($conf)	332	function ban_loginFailed($conf)
333	{	333	{
334	$ip = $_SERVER['REMOTE_ADDR'];	334	$ip = $_SERVER['REMOTE_ADDR'];
		335	$trusted = $conf->get('security.trusted_proxies', array());
		336	if (in_array($ip, $trusted)) {
		337	$ip = getIpAddressFromProxy($_SERVER, $trusted);
		338	if (!$ip) {
		339	return;
		340	}
		341	}
335	$gb = $GLOBALS['IPBANS'];	342	$gb = $GLOBALS['IPBANS'];
336	if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0;	343	if (! isset($gb['FAILURES'][$ip])) {
		344	$gb['FAILURES'][$ip]=0;
		345	}
337	$gb['FAILURES'][$ip]++;	346	$gb['FAILURES'][$ip]++;
338	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))	347	if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
339	{	348	{


diff --git a/tests/HttpUtils/GetIpAdressFromProxyTest.php b/tests/HttpUtils/GetIpAdressFromProxyTest.php new file mode 100644 index 00000000..6a74a45a --- /dev/null +++ b/tests/HttpUtils/GetIpAdressFromProxyTest.php
@@ -0,0 +1,58 @@
		1	<?php
		2
		3	require_once 'application/HttpUtils.php';
		4
		5	/**
		6	* Unitary tests for getIpAddressFromProxy()
		7	*/
		8	class GetIpAdressFromProxyTest extends PHPUnit_Framework_TestCase {
		9
		10	/**
		11	* Test without proxy
		12	*/
		13	public function testWithoutProxy()
		14	{
		15	$this->assertFalse(getIpAddressFromProxy(array(), array()));
		16	}
		17
		18	/**
		19	* Test with a single IP in proxy header.
		20	*/
		21	public function testWithOneForwardedIp()
		22	{
		23	$ip = '1.1.1.1';
		24	$server = array('HTTP_X_FORWARDED_FOR' => $ip);
		25	$this->assertEquals($ip, getIpAddressFromProxy($server, array()));
		26	}
		27
		28	/**
		29	* Test with a multiple IPs in proxy header.
		30	*/
		31	public function testWithMultipleForwardedIp()
		32	{
		33	$ip = '1.1.1.1';
		34	$ip2 = '2.2.2.2';
		35
		36	$server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2);
		37	$this->assertEquals($ip2, getIpAddressFromProxy($server, array()));
		38
		39	$server = array('HTTP_X_FORWARDED_FOR' => $ip .' , '. $ip2);
		40	$this->assertEquals($ip2, getIpAddressFromProxy($server, array()));
		41	}
		42
		43	/**
		44	* Test with a trusted IP address.
		45	*/
		46	public function testWithTrustedIp()
		47	{
		48	$ip = '1.1.1.1';
		49	$ip2 = '2.2.2.2';
		50
		51	$server = array('HTTP_X_FORWARDED_FOR' => $ip);
		52	$this->assertFalse(getIpAddressFromProxy($server, array($ip)));
		53
		54	$server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2);
		55	$this->assertEquals($ip2, getIpAddressFromProxy($server, array($ip)));
		56	$this->assertFalse(getIpAddressFromProxy($server, array($ip, $ip2)));
		57	}
		58	}