Fix handling of X-Forwarded-For header with multiple addresses (#1489481)

pull/158/merge
Aleksander Machniak 11 years ago
parent 7b1969ad60
commit a520f331c1

@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail CHANGELOG Roundcube Webmail
=========================== ===========================
- Fix handling of X-Forwarded-For header with multiple addresses (#1489481)
- Fix border issue on folders list in classic skin (#1489473) - Fix border issue on folders list in classic skin (#1489473)
- Implemented menu actions to copy/move messages, added folder-selector widget (#1484086) - Implemented menu actions to copy/move messages, added folder-selector widget (#1484086)
- Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477) - Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)

@ -680,9 +680,17 @@ class rcube_utils
*/ */
public static function remote_addr() public static function remote_addr()
{ {
foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) { if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
if (!empty($_SERVER[$prop])) $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
return $_SERVER[$prop]; return $hosts[0];
}
if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
return $_SERVER['HTTP_X_REAL_IP'];
}
if (!empty($_SERVER['REMOTE_ADDR'])) {
return $_SERVER['REMOTE_ADDR'];
} }
return ''; return '';

@ -345,9 +345,10 @@ if ($CONFIG['http_received_header'])
$nldlm = "\r\n\t"; $nldlm = "\r\n\t";
// FROM/VIA // FROM/VIA
$http_header = 'from '; $http_header = 'from ';
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$host = $_SERVER['HTTP_X_FORWARDED_FOR']; $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
$hostname = gethostbyaddr($host); $hostname = gethostbyaddr($hosts[0]);
if ($CONFIG['http_received_header_encrypt']) { if ($CONFIG['http_received_header_encrypt']) {
$http_header .= rcmail_encrypt_header($hostname); $http_header .= rcmail_encrypt_header($hostname);
if ($host != $hostname) if ($host != $hostname)

Loading…
Cancel
Save