Define headers which to trust in configuration, thanks for help with this to Christian Schmidt, Peytz & Co.

2006-11-18 12:59:37 +00:00
parent 74d1c7de63
commit 308043b032
3 changed files with 26 additions and 64 deletions
--- a/5
+++ b/5
@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$

+2006-11-18 Michal Čihař  <michal@cihar.com>
+    * Documentation.html, libraries/ip_allow_deny.lib.php: Define headers
+      which to trust in configuration, thanks for help with this to Christian
+      Schmidt, Peytz & Co.
+
 2006-11-18 Marc Delisle  <lem9@users.sourceforge.net>
    * index.php, libraries/common.lib.php: undefined index

--- a/Documentation.html
+++ b/Documentation.html
@@ -1404,10 +1404,17 @@ ALTER TABLE `pma_column_comments`
        frequently use some of these move them to the top.</dd>

    <dt id="cfg_TrustedProxies">$cfg['TrustedProxies'] array</dt>
-    <dd>Lists proxies which are trusted for <a
+    <dd>Lists proxies and HTTP headers which are trusted for <a
        href="#servers_allowdeny_order">IP Allow/Deny</a>. This list is by
        default empty, you need to fill in some trusted proxy servers if you
-        want to use rules for IP addresses behind proxy.
+        want to use rules for IP addresses behind proxy.<br /><br />
+        Following example enables use of X-Forwarded-For header for proxy
+        1.2.3.4 and Coming-From header from 5.6.7.8:
+        <pre>
+$cfg['TrustedProxyVariables'] =
+	array('1.2.3.4' =&gt; 'HTTP_X_FORWARDED_FOR',
+	      '5.6.7.8' =&gt; 'HTTP_COMING_FROM');
+        </pre>
    </dd>

    <dt id="cfg_GD2Available">$cfg['GD2Available'] string</dt>
--- a/libraries/ip_allow_deny.lib.php
+++ b/libraries/ip_allow_deny.lib.php
@@ -17,76 +17,26 @@
 */
 function PMA_getIp()
 {
-    global $REMOTE_ADDR;
-    global $HTTP_X_FORWARDED_FOR, $HTTP_X_FORWARDED, $HTTP_FORWARDED_FOR, $HTTP_FORWARDED;
-    global $HTTP_VIA, $HTTP_X_COMING_FROM, $HTTP_COMING_FROM;
-
-    // Get some server/environment variables values
-    if (empty($REMOTE_ADDR) && PMA_getenv('REMOTE_ADDR')) {
-        $REMOTE_ADDR = PMA_getenv('REMOTE_ADDR');
-    }
-    if (empty($HTTP_X_FORWARDED_FOR) && PMA_getenv('HTTP_X_FORWARDED_FOR')) {
-        $HTTP_X_FORWARDED_FOR = PMA_getenv('HTTP_X_FORWARDED_FOR');
-    }
-    if (empty($HTTP_X_FORWARDED) && PMA_getenv('HTTP_X_FORWARDED')) {
-        $HTTP_X_FORWARDED = PMA_getenv('HTTP_X_FORWARDED');
-    }
-    if (empty($HTTP_FORWARDED_FOR) && PMA_getenv('HTTP_FORWARDED_FOR')) {
-        $HTTP_FORWARDED_FOR = PMA_getenv('HTTP_FORWARDED_FOR');
-    }
-    if (empty($HTTP_FORWARDED) && PMA_getenv('HTTP_FORWARDED')) {
-        $HTTP_FORWARDED = PMA_getenv('HTTP_FORWARDED');
-    }
-    if (empty($HTTP_VIA) && PMA_getenv('HTTP_VIA')) {
-        $HTTP_VIA = PMA_getenv('HTTP_VIA');
-    }
-    if (empty($HTTP_X_COMING_FROM) && PMA_getenv('HTTP_X_COMING_FROM')) {
-        $HTTP_X_COMING_FROM = PMA_getenv('HTTP_X_COMING_FROM');
-    }
-    if (empty($HTTP_COMING_FROM) && PMA_getenv('HTTP_COMING_FROM')) {
-        $HTTP_COMING_FROM = PMA_getenv('HTTP_COMING_FROM');
-    }
-
-    // Gets the default ip sent by the user
-    if (!empty($REMOTE_ADDR)) {
-        $direct_ip = $REMOTE_ADDR;
+    /* Get the address of user */
+    if (!empty($_SERVER['REMOTE_ADDR'])) {
+        $direct_ip = $_SERVER['REMOTE_ADDR'];
    } else {
-        $direct_ip = '';
+        /* We do not know remote IP */
+        return false;
    }

-    // Gets the proxy ip sent by the user
-    $proxy_ip     = '';
-    if (!empty($HTTP_X_FORWARDED_FOR)) {
-        $proxy_ip = $HTTP_X_FORWARDED_FOR;
-    } elseif (!empty($HTTP_X_FORWARDED)) {
-        $proxy_ip = $HTTP_X_FORWARDED;
-    } elseif (!empty($HTTP_FORWARDED_FOR)) {
-        $proxy_ip = $HTTP_FORWARDED_FOR;
-    } elseif (!empty($HTTP_FORWARDED)) {
-        $proxy_ip = $HTTP_FORWARDED;
-    } elseif (!empty($HTTP_VIA)) {
-        $proxy_ip = $HTTP_VIA;
-    } elseif (!empty($HTTP_X_COMING_FROM)) {
-        $proxy_ip = $HTTP_X_COMING_FROM;
-    } elseif (!empty($HTTP_COMING_FROM)) {
-        $proxy_ip = $HTTP_COMING_FROM;
-    } // end if... elseif...
-
-    // Returns the true IP if it has been found, else false
-    if (empty($proxy_ip) || !in_array($direct_ip, $GLOBALS['cfg']['TrustedProxies'])) {
-        // True IP without proxy
-        return $direct_ip;
-    } else {
+    /* Do we trust this IP as a proxy? If yes we will use it's header. */
+    if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
+        $proxy_ip = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
        $is_ip = preg_match('|^([0-9]{1,3}\.){3,3}[0-9]{1,3}|', $proxy_ip, $regs);
        if ($is_ip && (count($regs) > 0)) {
            // True IP behind a proxy
            return $regs[0];
-        } else {
-            // Can't define IP: there is a proxy but we don't have
-            // information about the true IP
-            return false;
        }
-    } // end if... else...
+    }
+
+    /* Return true IP */
+    return $direct_ip;
 } // end of the 'PMA_getIp()' function