From 308043b0320c58204a9213bf85755f22a2355d5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Sat, 18 Nov 2006 12:59:37 +0000
Subject: [PATCH] Define headers which to trust in configuration, thanks for
 help with this to Christian Schmidt, Peytz & Co.

---
 ChangeLog                       |  5 +++
 Documentation.html              | 11 ++++-
 libraries/ip_allow_deny.lib.php | 74 ++++++---------------------------
 3 files changed, 26 insertions(+), 64 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 10b830fd7..294f7ef38 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$
 
+2006-11-18 Michal Čihař  <michal@cihar.com>
+    * Documentation.html, libraries/ip_allow_deny.lib.php: Define headers
+      which to trust in configuration, thanks for help with this to Christian
+      Schmidt, Peytz & Co.
+
 2006-11-18 Marc Delisle  <lem9@users.sourceforge.net>
     * index.php, libraries/common.lib.php: undefined index
 
diff --git a/Documentation.html b/Documentation.html
index 8a5a9adc7..b0c8ed2b7 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -1404,10 +1404,17 @@ ALTER TABLE `pma_column_comments`
         frequently use some of these move them to the top.</dd>
 
     <dt id="cfg_TrustedProxies">$cfg['TrustedProxies'] array</dt>
-    <dd>Lists proxies which are trusted for <a
+    <dd>Lists proxies and HTTP headers which are trusted for <a
         href="#servers_allowdeny_order">IP Allow/Deny</a>. This list is by
         default empty, you need to fill in some trusted proxy servers if you
-        want to use rules for IP addresses behind proxy.
+        want to use rules for IP addresses behind proxy.<br /><br />
+        Following example enables use of X-Forwarded-For header for proxy
+        1.2.3.4 and Coming-From header from 5.6.7.8:
+        <pre>
+$cfg['TrustedProxyVariables'] =
+	array('1.2.3.4' =&gt; 'HTTP_X_FORWARDED_FOR',
+	      '5.6.7.8' =&gt; 'HTTP_COMING_FROM');
+        </pre>
     </dd>
 
     <dt id="cfg_GD2Available">$cfg['GD2Available'] string</dt>
diff --git a/libraries/ip_allow_deny.lib.php b/libraries/ip_allow_deny.lib.php
index c0bcbf886..12493c2d5 100644
--- a/libraries/ip_allow_deny.lib.php
+++ b/libraries/ip_allow_deny.lib.php
@@ -17,76 +17,26 @@
  */
 function PMA_getIp()
 {
-    global $REMOTE_ADDR;
-    global $HTTP_X_FORWARDED_FOR, $HTTP_X_FORWARDED, $HTTP_FORWARDED_FOR, $HTTP_FORWARDED;
-    global $HTTP_VIA, $HTTP_X_COMING_FROM, $HTTP_COMING_FROM;
-
-    // Get some server/environment variables values
-    if (empty($REMOTE_ADDR) && PMA_getenv('REMOTE_ADDR')) {
-        $REMOTE_ADDR = PMA_getenv('REMOTE_ADDR');
-    }
-    if (empty($HTTP_X_FORWARDED_FOR) && PMA_getenv('HTTP_X_FORWARDED_FOR')) {
-        $HTTP_X_FORWARDED_FOR = PMA_getenv('HTTP_X_FORWARDED_FOR');
-    }
-    if (empty($HTTP_X_FORWARDED) && PMA_getenv('HTTP_X_FORWARDED')) {
-        $HTTP_X_FORWARDED = PMA_getenv('HTTP_X_FORWARDED');
-    }
-    if (empty($HTTP_FORWARDED_FOR) && PMA_getenv('HTTP_FORWARDED_FOR')) {
-        $HTTP_FORWARDED_FOR = PMA_getenv('HTTP_FORWARDED_FOR');
-    }
-    if (empty($HTTP_FORWARDED) && PMA_getenv('HTTP_FORWARDED')) {
-        $HTTP_FORWARDED = PMA_getenv('HTTP_FORWARDED');
-    }
-    if (empty($HTTP_VIA) && PMA_getenv('HTTP_VIA')) {
-        $HTTP_VIA = PMA_getenv('HTTP_VIA');
-    }
-    if (empty($HTTP_X_COMING_FROM) && PMA_getenv('HTTP_X_COMING_FROM')) {
-        $HTTP_X_COMING_FROM = PMA_getenv('HTTP_X_COMING_FROM');
-    }
-    if (empty($HTTP_COMING_FROM) && PMA_getenv('HTTP_COMING_FROM')) {
-        $HTTP_COMING_FROM = PMA_getenv('HTTP_COMING_FROM');
-    }
-
-    // Gets the default ip sent by the user
-    if (!empty($REMOTE_ADDR)) {
-        $direct_ip = $REMOTE_ADDR;
+    /* Get the address of user */
+    if (!empty($_SERVER['REMOTE_ADDR'])) {
+        $direct_ip = $_SERVER['REMOTE_ADDR'];
     } else {
-        $direct_ip = '';
+        /* We do not know remote IP */
+        return false;
     }
 
-    // Gets the proxy ip sent by the user
-    $proxy_ip     = '';
-    if (!empty($HTTP_X_FORWARDED_FOR)) {
-        $proxy_ip = $HTTP_X_FORWARDED_FOR;
-    } elseif (!empty($HTTP_X_FORWARDED)) {
-        $proxy_ip = $HTTP_X_FORWARDED;
-    } elseif (!empty($HTTP_FORWARDED_FOR)) {
-        $proxy_ip = $HTTP_FORWARDED_FOR;
-    } elseif (!empty($HTTP_FORWARDED)) {
-        $proxy_ip = $HTTP_FORWARDED;
-    } elseif (!empty($HTTP_VIA)) {
-        $proxy_ip = $HTTP_VIA;
-    } elseif (!empty($HTTP_X_COMING_FROM)) {
-        $proxy_ip = $HTTP_X_COMING_FROM;
-    } elseif (!empty($HTTP_COMING_FROM)) {
-        $proxy_ip = $HTTP_COMING_FROM;
-    } // end if... elseif...
-
-    // Returns the true IP if it has been found, else false
-    if (empty($proxy_ip) || !in_array($direct_ip, $GLOBALS['cfg']['TrustedProxies'])) {
-        // True IP without proxy
-        return $direct_ip;
-    } else {
+    /* Do we trust this IP as a proxy? If yes we will use it's header. */
+    if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
+        $proxy_ip = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
         $is_ip = preg_match('|^([0-9]{1,3}\.){3,3}[0-9]{1,3}|', $proxy_ip, $regs);
         if ($is_ip && (count($regs) > 0)) {
             // True IP behind a proxy
             return $regs[0];
-        } else {
-            // Can't define IP: there is a proxy but we don't have
-            // information about the true IP
-            return false;
         }
-    } // end if... else...
+    }
+
+    /* Return true IP */
+    return $direct_ip;
 } // end of the 'PMA_getIp()' function