diff options
-rw-r--r-- | system/core/Input.php | 97 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 27 |
2 files changed, 69 insertions, 55 deletions
diff --git a/system/core/Input.php b/system/core/Input.php index 657fce625..4bb08f808 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -328,66 +328,65 @@ class CI_Input { return $this->ip_address; } - if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR')) - { - $has_ranges = strpos($proxies, '/') !== FALSE; - $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY); - $proxies = is_array($proxies) ? $proxies : array($proxies); + $this->ip_address = $_SERVER['REMOTE_ADDR']; + $proxy_ips = config_item('proxy_ips'); - if ($has_ranges) + if ( ! empty($proxy_ips)) + { + foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) { - $long_ip = ip2long($_SERVER['REMOTE_ADDR']); - $bit_32 = 1 << 32; - - // Go through each of the IP Addresses to check for and - // test against range notation - foreach ($proxies as $ip) + if (($spoof = $this->server($header)) !== FALSE) { - list($address, $mask_length) = explode('/', $ip, 2); + // Some proxies typically list the whole chain of IP + // addresses through which the client has reached us. + // e.g. client_ip, proxy_ip1, proxy_ip2, etc. + if (strpos($spoof, ',') !== FALSE) + { + $spoof = explode(',', $spoof, 2); + $spoof = $spoof[0]; + } - // Generate the bitmask for a 32 bit IP Address - $bitmask = $bit_32 - (1 << (32 - (int) $mask_length)); - if (($long_ip & $bitmask) === $address) + if ( ! $this->valid_ip($spoof)) + { + $spoof = FALSE; + } + else { - $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; break; } } - } - else + + if ($spoof) { - $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) - ? $_SERVER['HTTP_X_FORWARDED_FOR'] - : $_SERVER['REMOTE_ADDR']; - } - } - elseif ( ! $this->server('HTTP_CLIENT_IP') && $this->server('REMOTE_ADDR')) - { - $this->ip_address = $_SERVER['REMOTE_ADDR']; - } - elseif ($this->server('REMOTE_ADDR') && $this->server('HTTP_CLIENT_IP')) - { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; - } - elseif ($this->server('HTTP_CLIENT_IP')) - { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; - } - elseif ($this->server('HTTP_X_FORWARDED_FOR')) - { - $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; - } + $has_ranges = (strpos($proxy_ips, '/') !== FALSE); + $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); - if ($this->ip_address === FALSE) - { - return $this->ip_address = '0.0.0.0'; - } + if ($has_ranges) + { + $long_ip = ip2long($_SERVER['REMOTE_ADDR']); + $bit_32 = 1 << 32; - if (strpos($this->ip_address, ',') !== FALSE) - { - $x = explode(',', $this->ip_address); - $this->ip_address = trim($x[0]); + // Go through each of the IP Addresses to check for and + // test against range notation + foreach ($proxy_ips as $ip) + { + list($address, $mask_length) = explode('/', $ip, 2); + + // Generate the bitmask for a 32 bit IP Address + $bitmask = $bit_32 - (1 << (32 - (int) $mask_length)); + if (($long_ip & $bitmask) === $address) + { + $this->ip_address = $spoof; + break; + } + } + } + elseif (in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE)) + { + $this->ip_address = $spoof; + } + } } if ( ! $this->valid_ip($this->ip_address)) @@ -545,7 +544,7 @@ class CI_Input { $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); // CSRF Protection check - if ($this->_enable_csrf === TRUE) + if ($this->_enable_csrf === TRUE && ! $this->is_cli_request()) { $this->security->csrf_verify(); } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 3e1cfcac4..20585d9bf 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -219,7 +219,6 @@ Release Date: Not Released - Added autoloading of drivers with $autoload['drivers']. - CI_Loader::library() will now load drivers as well, for backward compatibility of converted libraries (like Session). - :doc:`Common functions <general/common_functions>` changes include: - - ``is_loaded()`` function now returns a reference. - Added ``get_mimes()`` function to return the *config/mimes.php* array. - Added support for HTTP code 303 ("See Other") in ``set_status_header()``. - Removed redundant conditional to determine HTTP server protocol in ``set_status_header()``. @@ -279,17 +278,14 @@ Bug fixes for 3.0 - Fixed a bug in CUBRID's affected_rows() method where a connection resource was passed to cubrid_affected_rows() instead of a result. - Fixed a bug (#638) - db_set_charset() ignored its arguments and always used the configured charset instead. - Fixed a bug (#413) - Oracle's error handling methods used to only return connection-related errors. -- Fixed a bug (#804) - Profiler library was trying to handle objects as strings in some cases, resulting in warnings being issued by htmlspecialchars(). - Fixed a bug (#1101) - MySQL/MySQLi result method field_data() was implemented as if it was handling a DESCRIBE result instead of the actual result set. - Fixed a bug in Oracle's :doc:`Database Forge Class <database/forge>` method _create_table() where it failed with AUTO_INCREMENT as it's not supported. - Fixed a bug (#1080) - When using the SMTP protocol, the :doc:`Email Library <libraries/email>` send() method was returning TRUE even if the connection/authentication against the server failed. -- Fixed a bug (#499) - a CSRF cookie was created even with CSRF protection being disabled. - Fixed a bug (#306) - ODBC's insert_id() method was calling non-existent function odbc_insert_id(), which resulted in a fatal error. - Fixed a bug in Oracle's DB_result class where the cursor id passed to it was always NULL. - Fixed a bug (#64) - Regular expression in DB_query_builder.php failed to handle queries containing SQL bracket delimiters in the join condition. - Fixed a bug in the :doc:`Session Library <libraries/sessions>` where a PHP E_NOTICE error was triggered by _unserialize() due to results from databases such as MSSQL and Oracle being space-padded on the right. - Fixed a bug (#501) - set_rules() to check if the request method is not 'POST' before aborting, instead of depending on count($_POST) in the :doc:`Form Validation Library <libraries/form_validation>`. -- Fixed a bug (#940) - csrf_verify() used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid. - Fixed a bug (#136) - PostgreSQL, MySQL and MySQLi's escape_str() method didn't properly escape LIKE wild characters. - Fixed a bug in the library loader where some PHP versions wouldn't execute the class constructor. - Fixed a bug (#88) - An unexisting property was used for configuration of the Memcache cache driver. @@ -308,7 +304,6 @@ Bug fixes for 3.0 - Fixed a bug (#1265) - Database connections were always closed, regardless of the 'pconnect' option value. - Fixed a bug (#128) - :doc:`Language Library <libraries/language>` did not correctly keep track of loaded language files. - Fixed a bug (#1242) - Added Windows path compatibility to function read_dir of ZIP library. -- Fixed a bug (#1314) - sess_destroy() did not destroy userdata. - Fixed a bug (#1349) - get_extension() in the :doc:`File Uploading Library <libraries/file_uploading>` returned the original filename when it didn't have an actual extension. - Fixed a bug (#1273) - E_NOTICE being generated by :doc:`Query Builder <database/query_builder>`'s set_update_batch() method. - Fixed a bug (#44, #110) - :doc:`Upload library <libraries/file_uploading>`'s clean_file_name() method didn't clear '!' and '#' characters. @@ -329,7 +324,6 @@ Bug fixes for 3.0 - Fixed a bug (#1264) - :doc:`Database Forge <database/forge>` and :doc:`Database Utilities <database/utilities>` didn't update/reset the databases and tables list cache when a table or a database is created, dropped or renamed. - Fixed a bug (#7) - :doc:`Query Builder <database/query_builder>`'s ``join()`` method only escaped one set of conditions. - Fixed a bug (#1321) - Core Exceptions class couldn't find the errors/ folder in some cases. -- Fixed a bug in the File-based :doc:`Cache Library <libraries/caching>` driver's get_metadata() method where a non-existent array key was accessed for the TTL value. - Fixed a bug (#1202) - :doc:`Encryption Library <libraries/encryption>` encode_from_legacy() didn't set back the encrypt mode on failure. - Fixed a bug (#145) - compile_binds() failed when the bind marker was present in a literal string within the query. - Fixed a bug in protect_identifiers() where if passed along with the field names, operators got escaped as well. @@ -361,6 +355,27 @@ Bug fixes for 3.0 - Fixed a bug (#1257) - :doc:`Query Builder <database/query_builder>` used to (unnecessarily) group FROM clause contents, which breaks certain queries and is invalid for some databases. - Fixed a bug (#1709) - :doc:`Email <libraries/email>` headers were broken when using long email subjects and \r\n as CRLF. +Version 2.1.3 +============= + +Release Date: October 8, 2012 + +- Core + - :doc:`Common function <general/common_functions>` ``is_loaded()`` now returns a reference. + +Bug fixes for 2.1.3 +------------------- + +- Fixed a bug (#1543) - File-based :doc:`Caching <libraries/caching>` method ``get_metadata()`` used a non-existent array key to look for the TTL value. +- Fixed a bug (#1314) - :doc:`Session Library <libraries/session>` method ``sess_destroy()`` didn't destroy the userdata array. +- Fixed a bug (#804) - Profiler library was trying to handle objects as strings in some cases, resulting in *E_WARNING* messages being issued by ``htmlspecialchars()``. +- Fixed a bug (#1699) - :doc:`Migration Library <libraries/migration>` ignored the ``$config['migration_path']`` setting. +- Fixed a bug (#227) - :doc:`Input Library <libraries/input>` allowed unconditional spoofing of HTTP clients' IP addresses through the *HTTP_CLIENT_IP* header. +- Fixed a bug (#907) - :doc:`Input Library <libraries/input>` ignored *HTTP_X_CLUSTER_CLIENT_IP* and *HTTP_X_CLIENT_IP* headers when checking for proxies. +- Fixed a bug (#940) - ``csrf_verify()`` used to set the CSRF cookie while processing a POST request with no actual POST data, which resulted in validating a request that should be considered invalid. +- Fixed a bug (#499) - :doc:`Security Library <libraries/security>` where a CSRF cookie was created even if ``$config['csrf_protection']`` is set tot FALSE. +- Fixed a bug (#1715) - :doc:`Input Library <libraries/input>` triggered ``csrf_verify()`` on CLI requests. + Version 2.1.2 ============= |