Make proxy IP parsing aware of multiple proxies

nijel · nijel · commit 6aacd7dcfef8 · 2016-07-11T08:22:58.000+02:00
Signed-off-by: Michal Čihař &lt;michal@cihar.com&gt;
diff --git a/libraries/ip_allow_deny.lib.php b/libraries/ip_allow_deny.lib.php
@@ -30,23 +30,30 @@ function PMA_getIp()
         return $direct_ip;
     }
 
-    $trusted_header_value
-        = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
-    $matches = array();
+    /**
+     * Parse header in form:
+     * X-Forwarded-For: client, proxy1, proxy2
+     */
+    // Get header content
+    $value = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
+    // Grab first element what is client adddress
+    $value = explode(',', $value)[0];
+    // Extract IP address
     // the $ checks that the header contains only one IP address,
     // ?: makes sure the () don't capture
+    $matches = array();
     $is_ip = preg_match(
         '|^(?:[0-9]{1,3}\.){3,3}[0-9]{1,3}$|',
-        $trusted_header_value, $matches
+        $value, $matches
     );
 
     if ($is_ip && (count($matches) == 1)) {
         // True IP behind a proxy
         return $matches[0];
     }
 
-    /* Return true IP */
-    return $direct_ip;
+    // We could not parse header
+    return false;
 } // end of the 'PMA_getIp()' function
 
 
diff --git a/test/libraries/PMA_ip_allow_deny_test.php b/test/libraries/PMA_ip_allow_deny_test.php
@@ -51,32 +51,58 @@ public function setUp()
      * Test for PMA_getIp
      *
      * @return void
+     *
+     * @dataProvider proxyIPs
      */
-    public function testGetIp()
+    public function testGetIp($remote, $header, $expected, $proxyip = null)
     {
-        //$_SERVER['REMOTE_ADDR'] is empty
-        $this->assertEquals(
-            false,
-            PMA_getIp()
-        );
+        unset($_SERVER['REMOTE_ADDR']);
+        unset($_SERVER['TEST_FORWARDED_HEADER']);
+        $GLOBALS['cfg']['TrustedProxies'] = array();
+
+        if (!is_null($remote)) {
+            $_SERVER['REMOTE_ADDR'] = $remote;
+        }
+
+        if (!is_null($header)) {
+            if (is_null($proxyip)) {
+                $proxyip = $remote;
+            }
+            $GLOBALS['cfg']['TrustedProxies'][$proxyip] = 'TEST_FORWARDED_HEADER';
+            $_SERVER['TEST_FORWARDED_HEADER'] = $header;
+        }
 
-        $_SERVER['REMOTE_ADDR'] = "101.0.0.25";
         $this->assertEquals(
-            "101.0.0.25",
+            $expected,
             PMA_getIp()
         );
 
-        //proxy
-        $var_name = "direct_ip";
-        $direct_ip = $_SERVER['REMOTE_ADDR'];
-        $GLOBALS['cfg']['TrustedProxies'][$direct_ip] = $var_name;
-        $_SERVER[$var_name] = "192.168.0.1";
-        $this->assertEquals(
-            "192.168.0.1",
-            PMA_getIp()
+        unset($_SERVER['REMOTE_ADDR']);
+        unset($_SERVER['TEST_FORWARDED_HEADER']);
+        $GLOBALS['cfg']['TrustedProxies'] = array();
+    }
+
+    /**
+     * Data provider for PMA_getIp tests
+     *
+     * @return array
+     */
+    public function proxyIPs()
+    {
+        return array(
+            // Nothing set
+            array(null, null, false),
+            // Remote IP set
+            array('101.0.0.25', null, '101.0.0.25'),
+            // Proxy
+            array('101.0.0.25', '192.168.10.10', '192.168.10.10'),
+            // Several proxies
+            array('101.0.0.25', '192.168.10.1, 192.168.100.100', '192.168.10.1'),
+            // Invalid proxy
+            array('101.0.0.25', 'invalid', false),
+            // Direct IP with proxy enabled
+            array('101.0.0.25', '192.168.10.10', '101.0.0.25', '10.10.10.10'),
         );
-        unset($_SERVER[$var_name]);
-        unset($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
     }
 
     /**
