From 175f9c1022672ae8d47c93ad0cf31084eb868ecb Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Tue, 27 Oct 2015 22:27:34 -0400
Subject: Bug 1217536 - allow inbound_proxy supports '*'

---
 Bugzilla/Util.pm | 35 +++++++++++++++--------------------
 1 file changed, 15 insertions(+), 20 deletions(-)

(limited to 'Bugzilla/Util.pm')

diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index d80ab9569..f793ed727 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -57,7 +57,7 @@ use DateTime;
 use DateTime::TimeZone;
 use Digest;
 use Email::Address;
-use List::Util qw(first);
+use List::MoreUtils qw(none);
 use Scalar::Util qw(tainted blessed);
 use Text::Wrap;
 use Encode qw(encode decode resolve_alias);
@@ -305,28 +305,23 @@ sub correct_urlbase {
     }
 }
 
+# Returns the real remote address of the client,
 sub remote_ip {
-    my $ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1';
-    my @proxies = split(/[\s,]+/, Bugzilla->params->{'inbound_proxies'});
-
-    # If the IP address is one of our trusted proxies, then we look at
-    # the X-Forwarded-For header to determine the real remote IP address.
-    if ($ENV{'HTTP_X_FORWARDED_FOR'} && first { $_ eq $ip } @proxies) {
-        my @ips = split(/[\s,]+/, $ENV{'HTTP_X_FORWARDED_FOR'});
-        # This header can contain several IP addresses. We want the
-        # IP address of the machine which connected to our proxies as
-        # all other IP addresses may be fake or internal ones.
-        # Note that this may block a whole external proxy, but we have
-        # no way to determine if this proxy is malicious or trustable.
-        foreach my $remote_ip (reverse @ips) {
-            if (!first { $_ eq $remote_ip } @proxies) {
-                # Keep the original IP address if the remote IP is invalid.
-                $ip = validate_ip($remote_ip) || $ip;
-                last;
-            }
+    my $remote_ip       = $ENV{'REMOTE_ADDR'} || '127.0.0.1';
+    my @proxies         = split(/[\s,]+/, Bugzilla->params->{inbound_proxies});
+    my @x_forwarded_for = split(/[\s,]+/, $ENV{HTTP_X_FORWARDED_FOR} // '');
+
+    return $remote_ip unless @x_forwarded_for;
+    return $x_forwarded_for[0] if $proxies[0] eq '*';
+    return $remote_ip if none { $_ eq $remote_ip } @proxies;
+
+    foreach my $ip (reverse @x_forwarded_for) {
+        if (none { $_ eq $ip } @proxies) {
+            # Keep the original IP address if the remote IP is invalid.
+            return validate_ip($ip) || $remote_ip;
         }
     }
-    return $ip;
+    return $remote_ip;
 }
 
 sub validate_ip {
-- 
cgit v1.2.3-24-g4f1b