psfs /
core
@@ -44,7 +44,7 @@ discard block |
||
| 44 | 44 | header("Access-Control-Allow-Credentials: true"); |
| 45 | 45 | header("Access-Control-Allow-Origin: *"); |
| 46 | 46 | header("Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, OPTIONS"); |
| 47 | - header("Access-Control-Allow-Headers: " . implode(', ', self::getCorsHeaders())); |
|
| 47 | + header("Access-Control-Allow-Headers: ".implode(', ', self::getCorsHeaders())); |
|
| 48 | 48 | } |
| 49 | 49 | if (Request::getInstance()->getMethod() == 'OPTIONS') { |
| 50 | 50 | Logger::log('Returning OPTIONS header confirmation for CORS pre flight requests', LOG_DEBUG); |
@@ -73,7 +73,7 @@ discard block |
||
| 73 | 73 | if (self::validateIpAddress($ip)) |
| 74 | 74 | return $ip; |
| 75 | 75 | } |
| 76 | - } else { |
|
| 76 | + }else { |
|
| 77 | 77 | if (self::validateIpAddress($_SERVER['HTTP_X_FORWARDED_FOR'])) |
| 78 | 78 | return $_SERVER['HTTP_X_FORWARDED_FOR']; |
| 79 | 79 | } |
@@ -70,22 +70,28 @@ discard block |
||
| 70 | 70 | if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false) { |
| 71 | 71 | $iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); |
| 72 | 72 | foreach ($iplist as $ip) { |
| 73 | - if (self::validateIpAddress($ip)) |
|
| 74 | - return $ip; |
|
| 73 | + if (self::validateIpAddress($ip)) { |
|
| 74 | + return $ip; |
|
| 75 | + } |
|
| 75 | 76 | } |
| 76 | 77 | } else { |
| 77 | - if (self::validateIpAddress($_SERVER['HTTP_X_FORWARDED_FOR'])) |
|
| 78 | - return $_SERVER['HTTP_X_FORWARDED_FOR']; |
|
| 78 | + if (self::validateIpAddress($_SERVER['HTTP_X_FORWARDED_FOR'])) { |
|
| 79 | + return $_SERVER['HTTP_X_FORWARDED_FOR']; |
|
| 80 | + } |
|
| 79 | 81 | } |
| 80 | 82 | } |
| 81 | - if (!empty($_SERVER['HTTP_X_FORWARDED']) && self::validateIpAddress($_SERVER['HTTP_X_FORWARDED'])) |
|
| 82 | - return $_SERVER['HTTP_X_FORWARDED']; |
|
| 83 | - if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && self::validateIpAddress($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) |
|
| 84 | - return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; |
|
| 85 | - if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && self::validateIpAddress($_SERVER['HTTP_FORWARDED_FOR'])) |
|
| 86 | - return $_SERVER['HTTP_FORWARDED_FOR']; |
|
| 87 | - if (!empty($_SERVER['HTTP_FORWARDED']) && self::validateIpAddress($_SERVER['HTTP_FORWARDED'])) |
|
| 88 | - return $_SERVER['HTTP_FORWARDED']; |
|
| 83 | + if (!empty($_SERVER['HTTP_X_FORWARDED']) && self::validateIpAddress($_SERVER['HTTP_X_FORWARDED'])) { |
|
| 84 | + return $_SERVER['HTTP_X_FORWARDED']; |
|
| 85 | + } |
|
| 86 | + if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && self::validateIpAddress($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) { |
|
| 87 | + return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; |
|
| 88 | + } |
|
| 89 | + if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && self::validateIpAddress($_SERVER['HTTP_FORWARDED_FOR'])) { |
|
| 90 | + return $_SERVER['HTTP_FORWARDED_FOR']; |
|
| 91 | + } |
|
| 92 | + if (!empty($_SERVER['HTTP_FORWARDED']) && self::validateIpAddress($_SERVER['HTTP_FORWARDED'])) { |
|
| 93 | + return $_SERVER['HTTP_FORWARDED']; |
|
| 94 | + } |
|
| 89 | 95 | |
| 90 | 96 | // return unreliable ip since all else failed |
| 91 | 97 | return $_SERVER['REMOTE_ADDR']; |
@@ -96,8 +102,9 @@ discard block |
||
| 96 | 102 | * a private network range. |
| 97 | 103 | */ |
| 98 | 104 | public static function validateIpAddress($ip) { |
| 99 | - if (strtolower($ip) === 'unknown') |
|
| 100 | - return false; |
|
| 105 | + if (strtolower($ip) === 'unknown') { |
|
| 106 | + return false; |
|
| 107 | + } |
|
| 101 | 108 | |
| 102 | 109 | // generate ipv4 network address |
| 103 | 110 | $ip = ip2long($ip); |
@@ -109,14 +116,30 @@ discard block |
||
| 109 | 116 | // signed numbers (ints default to signed in PHP) |
| 110 | 117 | $ip = sprintf('%u', $ip); |
| 111 | 118 | // do private network range checking |
| 112 | - if ($ip >= 0 && $ip <= 50331647) return false; |
|
| 113 | - if ($ip >= 167772160 && $ip <= 184549375) return false; |
|
| 114 | - if ($ip >= 2130706432 && $ip <= 2147483647) return false; |
|
| 115 | - if ($ip >= 2851995648 && $ip <= 2852061183) return false; |
|
| 116 | - if ($ip >= 2886729728 && $ip <= 2887778303) return false; |
|
| 117 | - if ($ip >= 3221225984 && $ip <= 3221226239) return false; |
|
| 118 | - if ($ip >= 3232235520 && $ip <= 3232301055) return false; |
|
| 119 | - if ($ip >= 4294967040) return false; |
|
| 119 | + if ($ip >= 0 && $ip <= 50331647) { |
|
| 120 | + return false; |
|
| 121 | + } |
|
| 122 | + if ($ip >= 167772160 && $ip <= 184549375) { |
|
| 123 | + return false; |
|
| 124 | + } |
|
| 125 | + if ($ip >= 2130706432 && $ip <= 2147483647) { |
|
| 126 | + return false; |
|
| 127 | + } |
|
| 128 | + if ($ip >= 2851995648 && $ip <= 2852061183) { |
|
| 129 | + return false; |
|
| 130 | + } |
|
| 131 | + if ($ip >= 2886729728 && $ip <= 2887778303) { |
|
| 132 | + return false; |
|
| 133 | + } |
|
| 134 | + if ($ip >= 3221225984 && $ip <= 3221226239) { |
|
| 135 | + return false; |
|
| 136 | + } |
|
| 137 | + if ($ip >= 3232235520 && $ip <= 3232301055) { |
|
| 138 | + return false; |
|
| 139 | + } |
|
| 140 | + if ($ip >= 4294967040) { |
|
| 141 | + return false; |
|
| 142 | + } |
|
| 120 | 143 | } |
| 121 | 144 | return true; |
| 122 | 145 | } |
