Changeset 497 for trunk/lib/Utilities.inc.php

Timestamp:

Sep 15, 2014 9:44:27 PM (10 years ago)

Author:

anonymous

Message:

Beginning the process of adapting codebase to foundation styles.

File:

• trunk/lib/Utilities.inc.php (modified) (4 diffs)

trunk/lib/Utilities.inc.php

@@ -1082 +1082 @@
 }
 
-/**
- * Returns the remote IP address, taking into consideration proxy servers.
- *
- * @param  bool $dolookup   If true we resolve to IP to a host name,
- *                          if false we don't.
- * @return string    IP address if $dolookup is false or no arg
- *                   Hostname if $dolookup is true
- */
-function getRemoteAddr($dolookup=false)
-{
-    $ip = getenv('HTTP_CLIENT_IP');
-    if (in_array($ip, array('', 'unknown', 'localhost', '127.0.0.1'))) {
-        $ip = getenv('HTTP_X_FORWARDED_FOR');
-        if (mb_strpos($ip, ',') !== false) {
-            // If HTTP_X_FORWARDED_FOR returns a comma-delimited list of IPs then return the first one (assuming the first is the original).
-            $ips = explode(',', $ip, 2);
-            $ip = $ips[0];
-        }
-        if (in_array($ip, array('', 'unknown', 'localhost', '127.0.0.1'))) {
-            $ip = getenv('REMOTE_ADDR');
-        }
-    }
-    return $dolookup && '' != $ip ? gethostbyaddr($ip) : $ip;
+/*
+* Returns the remote IP address, taking into consideration proxy servers.
+*
+* If strict checking is enabled, we will only trust REMOTE_ADDR or an HTTP header
+* value if REMOTE_ADDR is a trusted proxy (configured as an array in $cfg['trusted_proxies']).
+*
+* @access   public
+* @param    bool $dolookup            Resolve to IP to a hostname?
+* @param    bool $trust_all_proxies   Should we trust any IP address set in HTTP_* variables? Set to FALSE for secure usage.
+* @return   mixed Canonicalized IP address (or a corresponding hostname if $dolookup is true), or false if no IP was found.
+* @author   Alix Axel <http://stackoverflow.com/a/2031935/277303>
+* @author   Corey Ballou <http://blackbe.lt/advanced-method-to-obtain-the-client-ip-in-php/>
+* @author   Quinn Comendant <quinn@strangecode.com>
+* @version  1.0
+* @since    12 Sep 2014 19:07:46
+*/
+function getRemoteAddr($dolookup=false, $trust_all_proxies=true)
+{
+    global $cfg;
+
+    if (!isset($_SERVER['REMOTE_ADDR'])) {
+        // Must be a CLI.
+        return false;
+    }
+
+    // Use an HTTP header value only if $trust_all_proxies is true or when REMOTE_ADDR is in our $cfg['trusted_proxies'] array.
+    // $cfg['trusted_proxies'] is an array of proxy server addresses we expect to see in REMOTE_ADDR.
+    if ($trust_all_proxies || isset($cfg['trusted_proxies']) && is_array($cfg['trusted_proxies']) && in_array($_SERVER['REMOTE_ADDR'], $cfg['trusted_proxies'], true)) {
+        // Then it's probably safe to use an IP address value set in an HTTP header.
+        // Loop through possible IP address headers.
+        foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED') as $key) {
+            // Loop through and if
+            if (array_key_exists($key, $_SERVER)) {
+                foreach (explode(',', $_SERVER[$key]) as $addr) {
+                    $addr = canonicalIPAddr(trim($addr));
+                    if (false !== filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+                        return $dolookup && '' != $addr ? gethostbyaddr($addr) : $addr;
+                    }
+                }
+            }
+        }
+    }
+
+    $addr = canonicalIPAddr(trim($_SERVER['REMOTE_ADDR']));
+    return $dolookup && $addr ? gethostbyaddr($addr) : $addr;
+}
+
+/*
+* Converts an ipv4 IP address in hexadecimal form into canonical form (i.e., it removes the prefix).
+*
+* @access   public
+* @param    string  $addr   IP address.
+* @return   string          Canonical IP address.
+* @author   Sander Steffann <http://stackoverflow.com/a/12436099/277303>
+* @author   Quinn Comendant <quinn@strangecode.com>
+* @version  1.0
+* @since    15 Sep 2012
+*/
+function canonicalIPAddr($addr)
+{
+    // Known prefix
+    $v4mapped_prefix_bin = pack('H*', '00000000000000000000ffff');
+
+    // Parse
+    $addr_bin = inet_pton($addr);
+
+    // Check prefix
+    if (substr($addr_bin, 0, strlen($v4mapped_prefix_bin)) == $v4mapped_prefix_bin) {
+        // Strip prefix
+        echo 'prefix matches';
+        $addr_bin = substr($addr_bin, strlen($v4mapped_prefix_bin));
+    }
+
+    // Convert back to printable address in canonical form
+    return inet_ntop($addr_bin);
 }
 
@@ -1117 +1169 @@
  * @return  mixed   Returns the network that matched on success, false on failure.
  */
-function ipInRange($ip, $networks)
+function ipInRange($addr, $networks)
 {
     if (!is_array($networks)) {
@@ -1123 +1175 @@
     }
 
-    $ip_binary = sprintf('%032b', ip2long($ip));
+    $addr_binary = sprintf('%032b', ip2long($addr));
     foreach ($networks as $network) {
         if (preg_match('![\d\.]{7,15}/\d{1,2}!', $network)) {
@@ -1129 +1181 @@
             list($cidr_ip, $cidr_bitmask) = explode('/', $network);
             $cidr_ip_binary = sprintf('%032b', ip2long($cidr_ip));
-            if (mb_substr($ip_binary, 0, $cidr_bitmask) === mb_substr($cidr_ip_binary, 0, $cidr_bitmask)) {
+            if (mb_substr($addr_binary, 0, $cidr_bitmask) === mb_substr($cidr_ip_binary, 0, $cidr_bitmask)) {
                // IP address is within the specified IP range.
                return $network;
             }
         } else {
-            if ($ip === $network) {
+            if ($addr === $network) {
                // IP address exactly matches.
                return $network;