diff options
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/bootstrap.inc | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 048efcd44..a8da6fcb2 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -1101,9 +1101,14 @@ function ip_address() { if (!isset($ip_address)) { $ip_address = $_SERVER['REMOTE_ADDR']; if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { - // If there are several arguments, we need to check the most - // recently added one, ie the last one. - $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + // If an array of known reverse proxy IPs is provided, then trust + // the XFF header if request really comes from one of them. + $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); + if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { + // If there are several arguments, we need to check the most + // recently added one, i.e. the last one. + $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + } } } |