diff options
author | Dylan William Hardison <dylan@hardison.net> | 2016-07-04 17:43:44 +0200 |
---|---|---|
committer | Dylan William Hardison <dylan@hardison.net> | 2016-07-08 18:09:52 +0200 |
commit | dfc33c89b8cac25951867a2e6821120c92bb055b (patch) | |
tree | f9879d1afdaf0c4b2928d32306cf8ec56aa73607 /Bugzilla/Util.pm | |
parent | 3f75ddd65da6a5753fa90b429ed6f43b4eeae088 (diff) | |
download | bugzilla-dfc33c89b8cac25951867a2e6821120c92bb055b.tar.gz bugzilla-dfc33c89b8cac25951867a2e6821120c92bb055b.tar.xz |
Bug 1284277 - allow inbound_proxy to be set to '*'
r=dkl
Diffstat (limited to 'Bugzilla/Util.pm')
-rw-r--r-- | Bugzilla/Util.pm | 35 |
1 files changed, 15 insertions, 20 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index e673a920e..dc41652f7 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -34,7 +34,7 @@ use Date::Parse; use Date::Format; use Digest; use Email::Address; -use List::Util qw(first); +use List::MoreUtils qw(none); use Scalar::Util qw(tainted blessed); use Text::Wrap; use Encode qw(encode decode resolve_alias); @@ -284,28 +284,23 @@ sub correct_urlbase { } } +# Returns the real remote address of the client, sub remote_ip { - my $ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1'; - my @proxies = split(/[\s,]+/, Bugzilla->params->{'inbound_proxies'}); - - # If the IP address is one of our trusted proxies, then we look at - # the X-Forwarded-For header to determine the real remote IP address. - if ($ENV{'HTTP_X_FORWARDED_FOR'} && first { $_ eq $ip } @proxies) { - my @ips = split(/[\s,]+/, $ENV{'HTTP_X_FORWARDED_FOR'}); - # This header can contain several IP addresses. We want the - # IP address of the machine which connected to our proxies as - # all other IP addresses may be fake or internal ones. - # Note that this may block a whole external proxy, but we have - # no way to determine if this proxy is malicious or trustable. - foreach my $remote_ip (reverse @ips) { - if (!first { $_ eq $remote_ip } @proxies) { - # Keep the original IP address if the remote IP is invalid. - $ip = validate_ip($remote_ip) || $ip; - last; - } + my $remote_ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1'; + my @proxies = split(/[\s,]+/, Bugzilla->params->{inbound_proxies}); + my @x_forwarded_for = split(/[\s,]+/, $ENV{HTTP_X_FORWARDED_FOR} // ''); + + return $remote_ip unless @x_forwarded_for; + return $x_forwarded_for[0] if $proxies[0] eq '*'; + return $remote_ip if none { $_ eq $remote_ip } @proxies; + + foreach my $ip (reverse @x_forwarded_for) { + if (none { $_ eq $ip } @proxies) { + # Keep the original IP address if the remote IP is invalid. + return validate_ip($ip) || $remote_ip; } } - return $ip; + return $remote_ip; } sub validate_ip { |