diff options
| author | Dries Buytaert <dries@buytaert.net> | 2008-07-04 22:54:09 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2008-07-04 22:54:09 +0000 |
| commit | 2a34c23bc832119667fc07a22469f516d584a8ee (patch) | |
| tree | 8ca414e5ba7b143ba1ef85edee28f29b7c75e435 | |
| parent | 1415340ce390e2fa6a872e5efa9a152e34840454 (diff) | |
| download | brdo-2a34c23bc832119667fc07a22469f516d584a8ee.tar.gz brdo-2a34c23bc832119667fc07a22469f516d584a8ee.tar.bz2 | |
- Patch #258397 by Dries: fixed spoofing attack.
| -rw-r--r-- | includes/bootstrap.inc | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index fc7743989..626b87405 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -1175,22 +1175,25 @@ function ip_address($reset = false) { if (!isset($ip_address) || $reset) { $ip_address = $_SERVER['REMOTE_ADDR']; - if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { - // If an array of known reverse proxy IPs is provided, then trust - // the XFF header if request really comes from one of them. - $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); - if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { - // If there are several arguments, we need to check the most - // recently added one, i.e. the last one. - $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + + if (variable_get('reverse_proxy', 0)) { + if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { + // If an array of known reverse proxy IPs is provided, then trust + // the XFF header if request really comes from one of them. + $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); + if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { + // If there are several arguments, we need to check the most + // recently added one, i.e. the last one. + $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + } } - } - // When Drupal is run in a cluster environment, REMOTE_ADDR contains the IP - // address of a server in the cluster, while the IP address of the client is - // stored in HTTP_X_CLUSTER_CLIENT_IP. - if (array_key_exists('HTTP_X_CLUSTER_CLIENT_IP', $_SERVER)) { - $ip_address = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; + // When Drupal is run in a cluster environment, REMOTE_ADDR contains the IP + // address of a server in the cluster, while the IP address of the client is + // stored in HTTP_X_CLUSTER_CLIENT_IP. + if (array_key_exists('HTTP_X_CLUSTER_CLIENT_IP', $_SERVER)) { + $ip_address = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; + } } } |