Commit 7f6e37db authored by lphuberdeau's avatar lphuberdeau

[MOD] Mozilla upstream. Fixing get_ip_address to give priority to...

[MOD] Mozilla upstream. Fixing get_ip_address to give priority to X_FORWARDED_FOR (for load balancers) and remove all remaining traces of direct calls to REMOTE_ADDR
parent 8bda8f7d
......@@ -166,18 +166,15 @@ class TikiLib extends TikiDb_Bridge
// Returns IP address or if 127.0.0.1 looks for a proxy address
function get_ip_address() {
$ip = "127.0.0.1"; // assume localhost
if (isset($_SERVER["REMOTE_ADDR"])) {
$ip = $_SERVER["REMOTE_ADDR"];
}
if ($ip == "127.0.0.1") {
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$fwips = explode(',', $_SERVER["HTTP_X_FORWARDED_FOR"]);
$ip = $fwips[0]; // There may be several but using first IP
// This might need improvement for configurations with multiple proxies.
}
}
return $ip;
}
if (isset($_SERVER["REMOTE_ADDR"])) {
$ip = $_SERVER["REMOTE_ADDR"];
}
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$fwips = explode(',', $_SERVER["HTTP_X_FORWARDED_FOR"]);
$ip = $fwips[0];
}
return $ip;
}
/*shared*/
function check_rules($user, $section) {
......
......@@ -129,8 +129,6 @@ closedir ($h);
// record that the user wanted to download some files
// to be fixed by adding the tiki_download table definitively
$userid = $userlib->get_user_id($user);
//$query = "insert into tiki_download (object,userid,type,date,IP) values ('$file_name',$userid,'maps',".date("U").",'".$_SERVER["REMOTE_ADDR"]."')";
//$result = $userlib->query($query);
$smarty->assign('nodownload', $nodownload);
$smarty->assign_by_ref('files',$files);
......
......@@ -107,7 +107,7 @@ session_name( $prefs['session_cookie_name'] );
// Only accept PHP's session ID in URL when the request comes from the tiki server itself
// This is used by features that need to query the server to retrieve tiki's generated html and images (e.g. pdf export)
if (isset($_GET[session_name()]) && $_SERVER['REMOTE_ADDR'] == '127.0.0.1') {
if (isset($_GET[session_name()]) && $tikilib->get_ip_address() == '127.0.0.1') {
$_COOKIE[session_name()] = $_GET[session_name()];
session_id($_GET[session_name()]);
}
......
......@@ -5,7 +5,9 @@
// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details.
include_once ('tiki-setup.php');
if ($_SERVER['REMOTE_ADDR'] != "127.0.0.1" AND !empty($_SERVER['REMOTE_ADDR'])) die("This script can only be called by the server!");
if ( '127.0.0.1' != $tikilib->get_ip_address() ) {
die("This script can only be called by the server!");
}
if ($prefs['feature_daily_report_watches'] != 'y') {
die("This feature is disabled");
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment