holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove all private IP addresses from X-Forwarded-For header, not just 10.0.0.0/8

Browse Source
This commit is contained in:
ralf 2022-10-27 14:54:40 +02:00
parent 64fd769586
commit ce5e30dc4c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/Session.php
View File

@ -1607,7 +1607,7 @@ class Session
{
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$forwarded_for = preg_replace('/, *10\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']);
$forwarded_for = preg_replace('/, *(192\.168|172\.(1[6789]|2[0-9]|3[01])|10)\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']);
if (preg_match(self::IP_REGEXP, $forwarded_for))
{
return $forwarded_for;
@ -2193,4 +2193,4 @@ class Session
'notification_heartbeat > '.self::heartbeat_limit(),
), __LINE__, __FILE__)->fetchColumn();
}
}
}