From f337abfa697395f2b39ac7d542e66da5538fa3f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= Date: Mon, 26 Nov 2007 08:06:52 +0000 Subject: #173408 by markus_petrux / add1sun: move proxy IP configuration options to settings.php, because these need to be used before Drupal has the variables loaded from the database --- includes/bootstrap.inc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'includes') diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 048efcd44..a8da6fcb2 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -1101,9 +1101,14 @@ function ip_address() { if (!isset($ip_address)) { $ip_address = $_SERVER['REMOTE_ADDR']; if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { - // If there are several arguments, we need to check the most - // recently added one, ie the last one. - $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + // If an array of known reverse proxy IPs is provided, then trust + // the XFF header if request really comes from one of them. + $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); + if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { + // If there are several arguments, we need to check the most + // recently added one, i.e. the last one. + $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + } } } -- cgit v1.2.3