[ros-diffs] [cfinck] 446: Change the RosCMS Login code and Bugzilla's ROSCMS Login module to determine the client's IP address also from the X-Forwarded-For header. This also readds the IP check to Bugzilla.
cfinck at svn.reactos.org
cfinck at svn.reactos.org
Thu Jul 9 02:00:46 CEST 2009
Author: cfinck
Date: Thu Jul 9 04:00:45 2009
New Revision: 446
URL: http://svn.reactos.org/svn/reactos?rev=446&view=rev
Log:
Change the RosCMS Login code and Bugzilla's ROSCMS Login module to determine the client's IP address also from the X-Forwarded-For header.
This also readds the IP check to Bugzilla.
Modified:
branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.pm
branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php
Modified: branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.pm
URL: http://svn.reactos.org/svn/reactos/branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.pm?rev=446&r1=445&r2=446&view=diff
==============================================================================
--- branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.pm [iso-8859-1] (original)
+++ branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.pm [iso-8859-1] Thu Jul 9 04:00:45 2009
@@ -72,10 +72,24 @@
if ( defined $session_id ) {
my $session_id_clean = $session_id;
trick_taint($session_id_clean);
-
+
+ my $ip_clean;
+ if ($ENV{'HTTP_X_FORWARDED_FOR'}) {
+ my @proxies = split(/,/, $ENV{'HTTP_X_FORWARDED_FOR'});
+ $ip_clean = $proxies[0];
+ } else {
+ $ip_clean = $ENV{'REMOTE_ADDR'};
+ }
+
+ if ($ip_clean =~ m/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
+ $ip_clean = $1;
+ } else {
+ $ip_clean = 'invalid';
+ }
+
my $browser_agent_clean = $ENV{'HTTP_USER_AGENT'};
trick_taint($browser_agent_clean);
-
+
my $query = "SELECT m.subsys_user_id, m.user_id " .
" FROM $roscms_db_name.roscms_accounts_sessions s " .
" JOIN $roscms_db_name.roscms_accounts u ON s.user_id = u.id " .
@@ -83,11 +97,13 @@
" WHERE s.id = ? " .
" AND (s.expires IS NULL OR " .
" NOW() <= s.expires) " .
+ " AND (s.ip = 'false' OR " .
+ " s.ip = ?) " .
" AND (s.browseragent = 'false' OR " .
" s.browseragent = ?) " .
" AND m.subsys = 'bugzilla'";
- my @params = ($session_id_clean, $browser_agent_clean);
+ my @params = ($session_id_clean, $ip_clean, $browser_agent_clean);
($user_id, $roscms_user_id) = $dbh->selectrow_array($query, undef, @params);
if ($user_id) {
Modified: branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php
URL: http://svn.reactos.org/svn/reactos/branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php?rev=446&r1=445&r2=446&view=diff
==============================================================================
--- branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php [iso-8859-1] (original)
+++ branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php [iso-8859-1] Thu Jul 9 04:00:45 2009
@@ -60,10 +60,18 @@
$session_id = $matches[1];
// get a valid ip
- if (isset($_SERVER['REMOTE_ADDR']) && preg_match('/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/', $_SERVER['REMOTE_ADDR'], $matches) ) {
- $remote_addr = $matches[1];
- }
- else{
+ if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER))
+ {
+ $proxies = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+ $remote_addr = $proxies[0];
+ }
+ else
+ {
+ $remote_addr = $_SERVER['REMOTE_ADDR'];
+ }
+
+ if (!preg_match('/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/', $remote_addr))
+ {
$remote_addr = 'invalid';
}
More information about the Ros-diffs
mailing list