extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-08 23:19:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove all private IP addresses from X-Forwarded-For header, not just 10.0.0.0/8

Browse Source
This commit is contained in:
ralf 2022-10-27 14:54:40 +02:00
parent 64fd769586
commit ce5e30dc4c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/Session.php
View File

@ -1607,7 +1607,7 @@ class Session
{ {
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{ {
$forwarded_for = preg_replace('/, *10\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']); $forwarded_for = preg_replace('/, *(192\.168|172\.(1[6789]|2[0-9]|3[01])|10)\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']);
if (preg_match(self::IP_REGEXP, $forwarded_for)) if (preg_match(self::IP_REGEXP, $forwarded_for))
{ {
return $forwarded_for; return $forwarded_for;
@ -2193,4 +2193,4 @@ class Session
'notification_heartbeat > '.self::heartbeat_limit(), 'notification_heartbeat > '.self::heartbeat_limit(),
), __LINE__, __FILE__)->fetchColumn(); ), __LINE__, __FILE__)->fetchColumn();
} }
} }