Trust only listed proxies for IP Allow/Deny.

This commit is contained in:
Michal Čihař
2006-11-17 09:52:45 +00:00
parent 7e5f61842c
commit 3f8663ead7
4 changed files with 21 additions and 3 deletions

View File

@@ -12,6 +12,9 @@ $HeadURL$
* index.php, libraries/cleanup.lib.php, libraries/url_generating.lib.php, * index.php, libraries/cleanup.lib.php, libraries/url_generating.lib.php,
libraries/common.lib.php, libraries/select_lang.lib.php: Fix path libraries/common.lib.php, libraries/select_lang.lib.php: Fix path
disclossure while passing array as some params. disclossure while passing array as some params.
* Documentation.html, libraries/ip_allow_deny.lib.php,
libraries/config.default.php: Trust only listed proxies for IP
Allow/Deny.
2006-11-16 Marc Delisle <lem9@users.sourceforge.net> 2006-11-16 Marc Delisle <lem9@users.sourceforge.net>
* pmd_pdf.php: export coordinates to PDF page even if the tables * pmd_pdf.php: export coordinates to PDF page even if the tables

View File

@@ -501,7 +501,7 @@ GRANT ALL PRIVILEGES ON user_base.* TO 'real_user'@localhost IDENTIFIED BY 'real
suggested, perhaps a <a href="#glossary">.htaccess</a> file with the suggested, perhaps a <a href="#glossary">.htaccess</a> file with the
HTTP-AUTH directive or disallowing incoming HTTP requests at HTTP-AUTH directive or disallowing incoming HTTP requests at
one&#8217;s router or firewall will suffice (both of which one&#8217;s router or firewall will suffice (both of which
are beyond the scope of this manual but easily searchable with Google).</li> are beyond the scope of this manual but easily searchable with Google).</li>
</ul> </ul>
<!-- CONFIGURATION --> <!-- CONFIGURATION -->
@@ -1006,7 +1006,11 @@ ALTER TABLE `pma_column_comments`
listed in the <i>allow</i> rules, and not listed in the <i>deny</i> listed in the <i>allow</i> rules, and not listed in the <i>deny</i>
rules. This is the <b>most</b> secure means of using Allow/Deny rules, rules. This is the <b>most</b> secure means of using Allow/Deny rules,
and was available in Apache by specifying allow and deny rules without and was available in Apache by specifying allow and deny rules without
setting any order. setting any order.<br /><br />
Please also see <a
href="#cfg_TrustedProxies">$cfg['TrustedProxies']</a> for detecting IP
address behind proxies.
</dd> </dd>
<dt id="servers_allowdeny_rules"> <dt id="servers_allowdeny_rules">
<span id="cfg_Servers_AllowDeny_rules">$cfg['Servers'][$i]['AllowDeny']['rules']</span> array of strings <span id="cfg_Servers_AllowDeny_rules">$cfg['Servers'][$i]['AllowDeny']['rules']</span> array of strings
@@ -1447,6 +1451,13 @@ ALTER TABLE `pma_column_comments`
Character sets will be shown in same order as here listed, so if you Character sets will be shown in same order as here listed, so if you
frequently use some of these move them to the top.</dd> frequently use some of these move them to the top.</dd>
<dt id="cfg_TrustedProxies">$cfg['TrustedProxies'] array</dt>
<dd>Lists proxies which are trusted for <a
href="#servers_allowdeny_order">IP Allow/Deny</a>. This list is by
default empty, you need to fill in some trusted proxy servers if you
want to use rules for IP addresses behind proxy.
</dd>
<dt id="cfg_GD2Available">$cfg['GD2Available'] string</dt> <dt id="cfg_GD2Available">$cfg['GD2Available'] string</dt>
<dd>Specifies whether GD &gt;= 2 is available. If yes it can be used for <dd>Specifies whether GD &gt;= 2 is available. If yes it can be used for
MIME transformations.<br /> MIME transformations.<br />

View File

@@ -612,6 +612,8 @@ $cfg['GD2Available'] = 'auto'; // Is GD >= 2 available? Set to yes/
// does autodetection, which is a bit expensive for // does autodetection, which is a bit expensive for
// php < 4.3.0, but it is the only safe vay how to // php < 4.3.0, but it is the only safe vay how to
// determine GD version. // determine GD version.
$cfg['TrustedProxies'] = array(); // List of trusted proxies for IP allow/deny
/** /**
* SQL Parser Settings * SQL Parser Settings
*/ */

View File

@@ -50,6 +50,8 @@ function PMA_getIp()
// Gets the default ip sent by the user // Gets the default ip sent by the user
if (!empty($REMOTE_ADDR)) { if (!empty($REMOTE_ADDR)) {
$direct_ip = $REMOTE_ADDR; $direct_ip = $REMOTE_ADDR;
} else {
$direct_ip = '';
} }
// Gets the proxy ip sent by the user // Gets the proxy ip sent by the user
@@ -71,7 +73,7 @@ function PMA_getIp()
} // end if... elseif... } // end if... elseif...
// Returns the true IP if it has been found, else false // Returns the true IP if it has been found, else false
if (empty($proxy_ip)) { if (empty($proxy_ip) || !in_array($direct_ip, $GLOBALS['cfg']['TrustedProxies'])) {
// True IP without proxy // True IP without proxy
return $direct_ip; return $direct_ip;
} else { } else {