summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2015-10-28 03:27:34 +0100
committerDylan William Hardison <dylan@hardison.net>2015-10-28 03:28:03 +0100
commit175f9c1022672ae8d47c93ad0cf31084eb868ecb (patch)
tree75917b225847248910adcea2f686ed20b2b009c5 /Bugzilla
parentf521f52eaee19967ef5898cad3c8cf1cd8b84675 (diff)
downloadbugzilla-175f9c1022672ae8d47c93ad0cf31084eb868ecb.tar.gz
bugzilla-175f9c1022672ae8d47c93ad0cf31084eb868ecb.tar.xz
Bug 1217536 - allow inbound_proxy supports '*'
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Config/Advanced.pm13
-rw-r--r--Bugzilla/Config/Common.pm11
-rw-r--r--Bugzilla/Util.pm35
3 files changed, 28 insertions, 31 deletions
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index 4b57df24d..893213b02 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -47,7 +47,7 @@ use constant get_param_list => (
name => 'inbound_proxies',
type => 't',
default => '',
- checker => \&check_ip
+ checker => \&check_inbound_proxies
},
{
@@ -108,4 +108,15 @@ use constant get_param_list => (
},
);
+sub check_inbound_proxies {
+ my $inbound_proxies = shift;
+
+ return "" if $inbound_proxies eq "*";
+ my @proxies = split(/[\s,]+/, $inbound_proxies);
+ foreach my $proxy (@proxies) {
+ validate_ip($proxy) || return "$proxy is not a valid IPv4 or IPv6 address";
+ }
+ return "";
+}
+
1;
diff --git a/Bugzilla/Config/Common.pm b/Bugzilla/Config/Common.pm
index 35a70994b..4c9994e0e 100644
--- a/Bugzilla/Config/Common.pm
+++ b/Bugzilla/Config/Common.pm
@@ -48,7 +48,7 @@ use base qw(Exporter);
qw(check_multi check_numeric check_regexp check_url check_group
check_sslbase check_priority check_severity check_platform
check_opsys check_shadowdb check_urlbase check_webdotbase
- check_user_verify_class check_ip
+ check_user_verify_class
check_mail_delivery_method check_notification check_utf8
check_bug_status check_smtp_auth check_theschwartz_available
check_maxattachmentsize check_email
@@ -130,15 +130,6 @@ sub check_sslbase {
return "";
}
-sub check_ip {
- my $inbound_proxies = shift;
- my @proxies = split(/[\s,]+/, $inbound_proxies);
- foreach my $proxy (@proxies) {
- validate_ip($proxy) || return "$proxy is not a valid IPv4 or IPv6 address";
- }
- return "";
-}
-
sub check_utf8 {
my $utf8 = shift;
# You cannot turn off the UTF-8 parameter if you've already converted
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index d80ab9569..f793ed727 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -57,7 +57,7 @@ use DateTime;
use DateTime::TimeZone;
use Digest;
use Email::Address;
-use List::Util qw(first);
+use List::MoreUtils qw(none);
use Scalar::Util qw(tainted blessed);
use Text::Wrap;
use Encode qw(encode decode resolve_alias);
@@ -305,28 +305,23 @@ sub correct_urlbase {
}
}
+# Returns the real remote address of the client,
sub remote_ip {
- my $ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1';
- my @proxies = split(/[\s,]+/, Bugzilla->params->{'inbound_proxies'});
-
- # If the IP address is one of our trusted proxies, then we look at
- # the X-Forwarded-For header to determine the real remote IP address.
- if ($ENV{'HTTP_X_FORWARDED_FOR'} && first { $_ eq $ip } @proxies) {
- my @ips = split(/[\s,]+/, $ENV{'HTTP_X_FORWARDED_FOR'});
- # This header can contain several IP addresses. We want the
- # IP address of the machine which connected to our proxies as
- # all other IP addresses may be fake or internal ones.
- # Note that this may block a whole external proxy, but we have
- # no way to determine if this proxy is malicious or trustable.
- foreach my $remote_ip (reverse @ips) {
- if (!first { $_ eq $remote_ip } @proxies) {
- # Keep the original IP address if the remote IP is invalid.
- $ip = validate_ip($remote_ip) || $ip;
- last;
- }
+ my $remote_ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1';
+ my @proxies = split(/[\s,]+/, Bugzilla->params->{inbound_proxies});
+ my @x_forwarded_for = split(/[\s,]+/, $ENV{HTTP_X_FORWARDED_FOR} // '');
+
+ return $remote_ip unless @x_forwarded_for;
+ return $x_forwarded_for[0] if $proxies[0] eq '*';
+ return $remote_ip if none { $_ eq $remote_ip } @proxies;
+
+ foreach my $ip (reverse @x_forwarded_for) {
+ if (none { $_ eq $ip } @proxies) {
+ # Keep the original IP address if the remote IP is invalid.
+ return validate_ip($ip) || $remote_ip;
}
}
- return $ip;
+ return $remote_ip;
}
sub validate_ip {