Trust only listed proxies for IP Allow/Deny.

ChangeLog

@@ -12,6 +12,9 @@ $HeadURL$
     * index.php, libraries/cleanup.lib.php, libraries/url_generating.lib.php,
       libraries/common.lib.php, libraries/select_lang.lib.php: Fix path
       disclossure while passing array as some params.
+    * Documentation.html, libraries/ip_allow_deny.lib.php,
+      libraries/config.default.php: Trust only listed proxies for IP
+      Allow/Deny.
 
 2006-11-16 Marc Delisle  <lem9@users.sourceforge.net>
     * pmd_pdf.php: export coordinates to PDF page even if the tables

Documentation.html

@@ -501,7 +501,7 @@ GRANT ALL PRIVILEGES ON user_base.* TO 'real_user'@localhost IDENTIFIED BY 'real
         suggested, perhaps a <a href="#glossary">.htaccess</a> file with the
         HTTP-AUTH directive or disallowing incoming HTTP requests at
         one&#8217;s router or firewall will suffice (both of which
-    are beyond the scope of this manual but easily searchable with Google).</li>
+        are beyond the scope of this manual but easily searchable with Google).</li>
 </ul>
 
 <!-- CONFIGURATION -->
@@ -1006,7 +1006,11 @@ ALTER TABLE `pma_column_comments`
         listed in the <i>allow</i> rules, and not listed in the <i>deny</i>
         rules. This is the <b>most</b> secure means of using Allow/Deny rules,
         and was available in Apache by specifying allow and deny rules without
-        setting any order.
+        setting any order.<br /><br />
+
+        Please also see <a
+        href="#cfg_TrustedProxies">$cfg['TrustedProxies']</a> for detecting IP
+        address behind proxies.
     </dd>
     <dt id="servers_allowdeny_rules">
         <span id="cfg_Servers_AllowDeny_rules">$cfg['Servers'][$i]['AllowDeny']['rules']</span> array of strings
@@ -1447,6 +1451,13 @@ ALTER TABLE `pma_column_comments`
         Character sets will be shown in same order as here listed, so if you
         frequently use some of these move them to the top.</dd>
 
+    <dt id="cfg_TrustedProxies">$cfg['TrustedProxies'] array</dt>
+    <dd>Lists proxies which are trusted for <a
+        href="#servers_allowdeny_order">IP Allow/Deny</a>. This list is by
+        default empty, you need to fill in some trusted proxy servers if you
+        want to use rules for IP addresses behind proxy.
+    </dd>
+
     <dt id="cfg_GD2Available">$cfg['GD2Available'] string</dt>
     <dd>Specifies whether GD &gt;= 2 is available. If yes it can be used for
         MIME transformations.<br />

libraries/config.default.php

@@ -612,6 +612,8 @@ $cfg['GD2Available']          = 'auto';     // Is GD >= 2 available? Set to yes/
                                             // does autodetection, which is a bit expensive for
                                             // php < 4.3.0, but it is the only safe vay how to
                                             // determine GD version.
+$cfg['TrustedProxies']        = array();    // List of trusted proxies for IP allow/deny
+
 /**
  * SQL Parser Settings
  */

libraries/ip_allow_deny.lib.php

@@ -50,6 +50,8 @@ function PMA_getIp()
     // Gets the default ip sent by the user
     if (!empty($REMOTE_ADDR)) {
         $direct_ip = $REMOTE_ADDR;
+    } else {
+        $direct_ip = '';
     }
 
     // Gets the proxy ip sent by the user
@@ -71,7 +73,7 @@ function PMA_getIp()
     } // end if... elseif...
 
     // Returns the true IP if it has been found, else false
-    if (empty($proxy_ip)) {
+    if (empty($proxy_ip) || !in_array($direct_ip, $GLOBALS['cfg']['TrustedProxies'])) {
         // True IP without proxy
         return $direct_ip;
     } else {