From e45ad2b74d9534395616d661cf4656d6f259943b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 9 Oct 2012 13:11:15 +0300 Subject: Merge changes from 2.1-stable --- system/core/Input.php | 97 +++++++++++++++++++++++++-------------------------- 1 file changed, 48 insertions(+), 49 deletions(-) (limited to 'system/core/Input.php') diff --git a/system/core/Input.php b/system/core/Input.php index 657fce625..4bb08f808 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -328,66 +328,65 @@ class CI_Input { return $this->ip_address; } - if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR')) - { - $has_ranges = strpos($proxies, '/') !== FALSE; - $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY); - $proxies = is_array($proxies) ? $proxies : array($proxies); + $this->ip_address = $_SERVER['REMOTE_ADDR']; + $proxy_ips = config_item('proxy_ips'); - if ($has_ranges) + if ( ! empty($proxy_ips)) + { + foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) { - $long_ip = ip2long($_SERVER['REMOTE_ADDR']); - $bit_32 = 1 << 32; - - // Go through each of the IP Addresses to check for and - // test against range notation - foreach ($proxies as $ip) + if (($spoof = $this->server($header)) !== FALSE) { - list($address, $mask_length) = explode('/', $ip, 2); + // Some proxies typically list the whole chain of IP + // addresses through which the client has reached us. + // e.g. client_ip, proxy_ip1, proxy_ip2, etc. + if (strpos($spoof, ',') !== FALSE) + { + $spoof = explode(',', $spoof, 2); + $spoof = $spoof[0]; + } - // Generate the bitmask for a 32 bit IP Address - $bitmask = $bit_32 - (1 << (32 - (int) $mask_length)); - if (($long_ip & $bitmask) === $address) + if ( ! $this->valid_ip($spoof)) + { + $spoof = FALSE; + } + else { - $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; break; } } - } - else + + if ($spoof) { - $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) - ? $_SERVER['HTTP_X_FORWARDED_FOR'] - : $_SERVER['REMOTE_ADDR']; - } - } - elseif ( ! $this->server('HTTP_CLIENT_IP') && $this->server('REMOTE_ADDR')) - { - $this->ip_address = $_SERVER['REMOTE_ADDR']; - } - elseif ($this->server('REMOTE_ADDR') && $this->server('HTTP_CLIENT_IP')) - { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; - } - elseif ($this->server('HTTP_CLIENT_IP')) - { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; - } - elseif ($this->server('HTTP_X_FORWARDED_FOR')) - { - $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; - } + $has_ranges = (strpos($proxy_ips, '/') !== FALSE); + $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); - if ($this->ip_address === FALSE) - { - return $this->ip_address = '0.0.0.0'; - } + if ($has_ranges) + { + $long_ip = ip2long($_SERVER['REMOTE_ADDR']); + $bit_32 = 1 << 32; - if (strpos($this->ip_address, ',') !== FALSE) - { - $x = explode(',', $this->ip_address); - $this->ip_address = trim($x[0]); + // Go through each of the IP Addresses to check for and + // test against range notation + foreach ($proxy_ips as $ip) + { + list($address, $mask_length) = explode('/', $ip, 2); + + // Generate the bitmask for a 32 bit IP Address + $bitmask = $bit_32 - (1 << (32 - (int) $mask_length)); + if (($long_ip & $bitmask) === $address) + { + $this->ip_address = $spoof; + break; + } + } + } + elseif (in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE)) + { + $this->ip_address = $spoof; + } + } } if ( ! $this->valid_ip($this->ip_address)) @@ -545,7 +544,7 @@ class CI_Input { $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); // CSRF Protection check - if ($this->_enable_csrf === TRUE) + if ($this->_enable_csrf === TRUE && ! $this->is_cli_request()) { $this->security->csrf_verify(); } -- cgit v1.2.3-24-g4f1b