From 4d480b36ea4b503ed997b1b9c60c433b5508e4aa Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Wed, 17 Jul 2013 02:04:15 -0400
Subject: [PATCH] Respect HTTP_X_FORWARDED_FOR and HTTP_X_REAL_IP variables for session IP check

---
 program/lib/Roundcube/rcube_session.php |    8 ++++----
 program/lib/Roundcube/rcube_utils.php   |   15 +++++++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/program/lib/Roundcube/rcube_session.php b/program/lib/Roundcube/rcube_session.php
index 615ec6f..646933b 100644
--- a/program/lib/Roundcube/rcube_session.php
+++ b/program/lib/Roundcube/rcube_session.php
@@ -54,7 +54,7 @@
     {
         $this->db      = $db;
         $this->start   = microtime(true);
-        $this->ip      = $_SERVER['REMOTE_ADDR'];
+        $this->ip      = rcube_utils::remote_addr();
         $this->logging = $config->get('log_session', false);
 
         $lifetime = $config->get('session_lifetime', 1) * 60;
@@ -480,7 +480,7 @@
     public function kill()
     {
         $this->vars = null;
-        $this->ip = $_SERVER['REMOTE_ADDR']; // update IP (might have changed)
+        $this->ip = rcube_utils::remote_addr(); // update IP (might have changed)
         $this->destroy(session_id());
         rcube_utils::setcookie($this->cookiename, '-del-', time() - 60);
     }
@@ -694,10 +694,10 @@
     function check_auth()
     {
         $this->cookie = $_COOKIE[$this->cookiename];
-        $result = $this->ip_check ? $_SERVER['REMOTE_ADDR'] == $this->ip : true;
+        $result = $this->ip_check ? rcube_utils::remote_addr() == $this->ip : true;
 
         if (!$result) {
-            $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . $_SERVER['REMOTE_ADDR']);
+            $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . rcube_utils::remote_addr());
         }
 
         if ($result && $this->_mkcookie($this->now) != $this->cookie) {
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index 6c3bd21..cf87ded 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -666,6 +666,21 @@
 
 
     /**
+     * Returns the real remote IP address
+     *
+     * @return string Remote IP address
+     */
+    public static function remote_addr()
+    {
+        foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) {
+            if (!empty($_SERVER[$prop]))
+                return $_SERVER[$prop];
+        }
+
+        return '';
+    }
+
+    /**
      * Read a specific HTTP request header.
      *
      * @param  string $name Header name

--
Gitblit v1.9.1