| Index: trunk/phase3/includes/ProxyTools.php |
| — | — | @@ -6,6 +6,23 @@ |
| 7 | 7 | * @package MediaWiki |
| 8 | 8 | */ |
| 9 | 9 | |
| | 10 | +function wfGetForwardedFor() { |
| | 11 | + if( function_exists( 'apache_request_headers' ) ) { |
| | 12 | + // More reliable than $_SERVER due to case and -/_ folding |
| | 13 | + $set = apache_request_headers(); |
| | 14 | + $index = 'X-Forwarded-For'; |
| | 15 | + } else { |
| | 16 | + // Subject to spoofing with headers like X_Forwarded_For |
| | 17 | + $set = $_SERVER; |
| | 18 | + $index = 'HTTP_X_FORWARDED_FOR'; |
| | 19 | + } |
| | 20 | + if( isset( $set[$index] ) ) { |
| | 21 | + return $set[$index]; |
| | 22 | + } else { |
| | 23 | + return null; |
| | 24 | + } |
| | 25 | +} |
| | 26 | + |
| 10 | 27 | /** Work out the IP address based on various globals */ |
| 11 | 28 | function wfGetIP() { |
| 12 | 29 | global $wgSquidServers, $wgSquidServersNoPurge, $wgIP; |
| — | — | @@ -30,8 +47,9 @@ |
| 31 | 48 | $trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) ); |
| 32 | 49 | if ( count( $trustedProxies ) ) { |
| 33 | 50 | # Append XFF on to $ipchain |
| 34 | | - if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { |
| 35 | | - $xff = array_map( 'trim', explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ) ); |
| | 51 | + $forwardedFor = wfGetForwardedFor(); |
| | 52 | + if ( isset( $forwardedFor ) ) { |
| | 53 | + $xff = array_map( 'trim', explode( ',', $forwardedFor ) ); |
| 36 | 54 | $xff = array_reverse( $xff ); |
| 37 | 55 | $ipchain = array_merge( $ipchain, $xff ); |
| 38 | 56 | } |
| Index: trunk/phase3/RELEASE-NOTES |
| — | — | @@ -412,6 +412,7 @@ |
| 413 | 413 | http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability |
| 414 | 414 | * (bug 4507) Adjust FULLPAGENAMEE escaping to standard form |
| 415 | 415 | * Blocked users can no longer roll back, change the protection of, or delete/undelete pages |
| | 416 | +* Protect against spoofing of X-Forwarded-For header |
| 416 | 417 | |
| 417 | 418 | |
| 418 | 419 | === Caveats === |