Fix handling of X-Forwarded-For header with multiple addresses (#1489481)

Aleksander Machniak

2013-12-17 a520f331c16fc703cc92d5b9853fb91805f82305

Fix handling of X-Forwarded-For header with multiple addresses (#1489481)

 CHANGELOG

@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================

- Fix handling of X-Forwarded-For header with multiple addresses (#1489481)
- Fix border issue on folders list in classic skin (#1489473)
- Implemented menu actions to copy/move messages, added folder-selector widget (#1484086)
- Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)

 program/lib/Roundcube/rcube_utils.php

@@ -680,9 +680,17 @@
     */
    public static function remote_addr()
    {
        foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) {
            if (!empty($_SERVER[$prop]))
                return $_SERVER[$prop];
        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
            $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
            return $hosts[0];
        }

        if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
            return $_SERVER['HTTP_X_REAL_IP'];
        }

        if (!empty($_SERVER['REMOTE_ADDR'])) {
            return $_SERVER['REMOTE_ADDR'];
        }

        return '';

 program/steps/mail/sendmail.inc

@@ -345,9 +345,10 @@
  $nldlm = "\r\n\t";
  // FROM/VIA
  $http_header = 'from ';
  if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $host = $_SERVER['HTTP_X_FORWARDED_FOR'];
    $hostname = gethostbyaddr($host);
  if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $hosts    = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
    $hostname = gethostbyaddr($hosts[0]);

    if ($CONFIG['http_received_header_encrypt']) {
      $http_header .= rcmail_encrypt_header($hostname);
      if ($host != $hostname)