[ros-diffs] [cfinck] 446: Change the RosCMS Login code and Bugzilla's ROSCMS Login module to determine the client's IP address also from the X-Forwarded-For header. This also readds the IP check to Bugzilla.

Author: cfinck Date: Thu Jul 9 04:00:45 2009 New Revision: 446 URL: http://svn.reactos.org/svn/reactos?rev=446&view=rev Log: Change the RosCMS Login code and Bugzilla's ROSCMS Login module to determine the client's IP address also from the X-Forwarded-For header. This also readds the IP check to Bugzilla. Modified: branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.… branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php Modified: branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.… URL: http://svn.reactos.org/svn/reactos/branches/danny-web/www/www.reactos.org/b… ============================================================================== --- branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.… [iso-8859-1] (original) +++ branches/danny-web/www/www.reactos.org/bugzilla/Bugzilla/Auth/Login/ROSCMS.… [iso-8859-1] Thu Jul 9 04:00:45 2009 @@ -72,10 +72,24 @@ if ( defined $session_id ) { my $session_id_clean = $session_id; trick_taint($session_id_clean); - + + my $ip_clean; + if ($ENV{'HTTP_X_FORWARDED_FOR'}) { + my @proxies = split(/,/, $ENV{'HTTP_X_FORWARDED_FOR'}); + $ip_clean = $proxies[0]; + } else { + $ip_clean = $ENV{'REMOTE_ADDR'}; + } + + if ($ip_clean =~ m/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) { + $ip_clean = $1; + } else { + $ip_clean = 'invalid'; + } + my $browser_agent_clean = $ENV{'HTTP_USER_AGENT'}; trick_taint($browser_agent_clean); - + my $query = "SELECT m.subsys_user_id, m.user_id " . " FROM $roscms_db_name.roscms_accounts_sessions s " . " JOIN $roscms_db_name.roscms_accounts u ON s.user_id = u.id " . @@ -83,11 +97,13 @@ " WHERE s.id = ? " . " AND (s.expires IS NULL OR " . " NOW() <= s.expires) " . + " AND (s.ip = 'false' OR " . + " s.ip = ?) " . " AND (s.browseragent = 'false' OR " . " s.browseragent = ?) " . " AND m.subsys = 'bugzilla'"; - my @params = ($session_id_clean, $browser_agent_clean); + my @params = ($session_id_clean, $ip_clean, $browser_agent_clean); ($user_id, $roscms_user_id) = $dbh->selectrow_array($query, undef, @params); if ($user_id) { Modified: branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php URL: http://svn.reactos.org/svn/reactos/branches/danny-web/www/www.reactos.org/r… ============================================================================== --- branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php [iso-8859-1] (original) +++ branches/danny-web/www/www.reactos.org/roscms/lib/om/Login.class.php [iso-8859-1] Thu Jul 9 04:00:45 2009 @@ -60,10 +60,18 @@ $session_id = $matches[1]; // get a valid ip - if (isset($_SERVER['REMOTE_ADDR']) && preg_match('/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/', $_SERVER['REMOTE_ADDR'], $matches) ) { - $remote_addr = $matches[1]; - } - else{ + if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) + { + $proxies = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); + $remote_addr = $proxies[0]; + } + else + { + $remote_addr = $_SERVER['REMOTE_ADDR']; + } + + if (!preg_match('/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/', $remote_addr)) + { $remote_addr = 'invalid'; }