From ce5e30dc4cc39793a9ebac65a66e1b82b7346cf2 Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Thu, 27 Oct 2022 14:54:40 +0200
Subject: [PATCH] remove all private IP addresses from X-Forwarded-For header,
 not just 10.0.0.0/8

---
 api/src/Session.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/src/Session.php b/api/src/Session.php
index 597c252553..1e9b6f04d3 100644
--- a/api/src/Session.php
+++ b/api/src/Session.php
@@ -1607,7 +1607,7 @@ class Session
 	{
 		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
 		{
-			$forwarded_for = preg_replace('/, *10\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']);
+			$forwarded_for = preg_replace('/, *(192\.168|172\.(1[6789]|2[0-9]|3[01])|10)\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']);
 			if (preg_match(self::IP_REGEXP, $forwarded_for))
 			{
 				return $forwarded_for;
@@ -2193,4 +2193,4 @@ class Session
 				'notification_heartbeat > '.self::heartbeat_limit(),
 		), __LINE__, __FILE__)->fetchColumn();
 	}
-}
+}
\ No newline at end of file