Skip to content

Z
z-push
Commit d249ef89 authored by Chris Pitchford's avatar Chris Pitchford
Browse files
Options

ZP-1200 Attempt to use OS backed IP resolution to support ipv4/6. 

Released under the Affero GNU General Public License (AGPL) version 3.

Attempt to use the PHP inet_pton function to parse the client's IP
address. This OS backed function will parse IPv4 and IPv6 addresses
(where supported)

If the function fails to parse, we'll prefix the address with badip-
and resort to the original manual pattern match
parent 0e4a1a39
Hide whitespace changes
Inline Side-by-side
Showing with 19 additions and 2 deletions
src/lib/request/request.php
View file @ d249ef89
...@@ -123,7 +123,7 @@ class Request { ...@@ -123,7 +123,7 @@ class Request {
self::$method = self::filterEvilInput($_SERVER["REQUEST_METHOD"], self::LETTERS_ONLY); self::$method = self::filterEvilInput($_SERVER["REQUEST_METHOD"], self::LETTERS_ONLY);
// TODO check IPv6 addresses // TODO check IPv6 addresses
if(isset($_SERVER["REMOTE_ADDR"])) if(isset($_SERVER["REMOTE_ADDR"]))
self::$remoteAddr = self::filterEvilInput($_SERVER["REMOTE_ADDR"], self::NUMBERSDOT_ONLY); self::$remoteAddr = self::filterIP($_SERVER["REMOTE_ADDR"]);
// in protocol version > 14 mobile send these inputs as encoded query string // in protocol version > 14 mobile send these inputs as encoded query string
if (!isset(self::$command) && !empty($_SERVER['QUERY_STRING']) && Utils::IsBase64String($_SERVER['QUERY_STRING'])) { if (!isset(self::$command) && !empty($_SERVER['QUERY_STRING']) && Utils::IsBase64String($_SERVER['QUERY_STRING'])) {
...@@ -237,7 +237,7 @@ class Request { ...@@ -237,7 +237,7 @@ class Request {
} }
if (defined('USE_X_FORWARDED_FOR_HEADER') && USE_X_FORWARDED_FOR_HEADER == true && isset(self::$headers["x-forwarded-for"])) { if (defined('USE_X_FORWARDED_FOR_HEADER') && USE_X_FORWARDED_FOR_HEADER == true && isset(self::$headers["x-forwarded-for"])) {
$forwardedIP = self::filterEvilInput(self::$headers["x-forwarded-for"], self::NUMBERSDOT_ONLY); $forwardedIP = self::filterIP(self::$headers["x-forwarded-for"]);
if ($forwardedIP) { if ($forwardedIP) {
ZLog::Write(LOGLEVEL_DEBUG, sprintf("'X-Forwarded-for' indicates remote IP: %s - connect is coming from IP: %s", $forwardedIP, self::$remoteAddr)); ZLog::Write(LOGLEVEL_DEBUG, sprintf("'X-Forwarded-for' indicates remote IP: %s - connect is coming from IP: %s", $forwardedIP, self::$remoteAddr));
self::$remoteAddr = $forwardedIP; self::$remoteAddr = $forwardedIP;
...@@ -684,6 +684,23 @@ class Request { ...@@ -684,6 +684,23 @@ class Request {
return ($re) ? preg_replace($re, $replacevalue, $input) : ''; return ($re) ? preg_replace($re, $replacevalue, $input) : '';
} }
/**
* If $input is a valid IPv4 or IPv6 address, returns a valid compact IPv4 or IPv6 address string
* Otherwise, it will strip all characters that are neither numerical or '.' and prefix with "bad-ip"
*
* @param string $input The ipv4/ipv6 address
*
* @access public
* @return string
*/
static private function filterIP($input) {
$in_addr = @inet_pton($input);
if ($in_addr === false) {
return 'badip-' . self::filterEvilInput($input, self::NUMBERSDOT_ONLY);
}
return inet_ntop($in_addr);
}
/** /**
* Returns base64 encoded "php://input" * Returns base64 encoded "php://input"
* With POST request (our case), you can open and read * With POST request (our case), you can open and read
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment