Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat/195: trust REMOTE_ADDR header only #198

Merged
merged 14 commits into from
Aug 26, 2022
Merged

feat/195: trust REMOTE_ADDR header only #198

Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
a6f32bd
try: trust REMOTE_ADDR header only
Sidsector9 May 12, 2022
b14ba38
Merge branch 'develop' into fix/195
jeffpaul Jun 28, 2022
0690600
refactor logic
Sidsector9 Jul 11, 2022
03d97fe
Merge branch 'develop' into fix/195
Sidsector9 Jul 25, 2022
5a7a046
Iterate over each trusted proxy IP address and pass into our validati…
dkotter Aug 19, 2022
3b2b6e8
Add back header
dkotter Aug 19, 2022
041ec15
Always return the REMOTE_ADDR header value if nothing else matches
dkotter Aug 22, 2022
9bdda36
Merge branch 'develop' into fix/195
dkotter Aug 22, 2022
5c103a2
Make sure we actually return our variable
dkotter Aug 22, 2022
3ae9a38
Add tests
dkotter Aug 22, 2022
c0ba458
CR feedback
dkotter Aug 24, 2022
569ae83
Modify tests a bit to use data providers
dkotter Aug 24, 2022
740653c
Ensure we have an IP before checking it
dkotter Aug 24, 2022
bd76209
Update readmes with information on how to utilize these new filters
dkotter Aug 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 68 additions & 19 deletions restricted_site_access.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1529,36 +1529,85 @@ public static function ip_in_range( $ip, $range ) {
* @return string
*/
public static function get_client_ip_address() {
$ip = '';
$headers = array(
'HTTP_CF_CONNECTING_IP',
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_X_CLUSTER_CLIENT_IP',
'HTTP_FORWARDED_FOR',
'HTTP_FORWARDED',
'REMOTE_ADDR',
);
foreach ( $headers as $key ) {

if ( ! isset( $_SERVER[ $key ] ) ) {
$ip = '';
$remote_addr_header_ip = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : false;

/**
* Assume empty REMOTE_ADDR as unreliable.
*/
if ( false === $remote_addr_header_ip ) {
return '';
}

/**
* Accepts the string 'REMOTE_ADDR' or array of trusted proxies.
* It is advisable to pass 'REMOTE_ADDR' if your proxy server doesn't have
* a static IP.
dkotter marked this conversation as resolved.
Show resolved Hide resolved
*
* @param string|array
*
* @since 7.3.1
*/
$trusted_proxies = apply_filters( 'rsa_trusted_proxies', 'REMOTE_ADDR' );
dkotter marked this conversation as resolved.
Show resolved Hide resolved

/**
* Add headers that your reverse proxy uses to send client IP information.
*
* Example of possible values are:
*
* HTTP_CF_CONNECTING_IP
* HTTP_CLIENT_IP
* HTTP_X_FORWARDED_FOR
* HTTP_X_FORWARDED
* HTTP_X_CLUSTER_CLIENT_IP
* HTTP_FORWARDED_FOR
* HTTP_FORWARDED
*
* @param array
*
* @since 7.3.1
*/
$proxy_trusted_headers = apply_filters( 'rsa_proxy_trusted_headers', array( 'HTTP_X_FORWARDED_FOR' ) );
dkotter marked this conversation as resolved.
Show resolved Hide resolved

if ( is_string( $trusted_proxies ) && 'REMOTE_ADDR' === $trusted_proxies ) {
dkotter marked this conversation as resolved.
Show resolved Hide resolved
if ( ! empty( $proxy_trusted_headers ) ) {
return self::get_ip_from_headers( $proxy_trusted_headers );
} else {
return $remote_addr_header_ip;
}
} else if ( is_array( $trusted_proxies ) && ! empty( $trusted_proxies ) ) {
if ( in_array( $remote_addr_header_ip, $trusted_proxies ) ) {
return self::get_ip_from_headers( $proxy_trusted_headers );
}
}

return '';
}

/**
* Returns the first matched IP from the list of array of headers.
*
* @return string
*/
public static function get_ip_from_headers( $headers = array() ) {
foreach ( $headers as $header ) {
if ( ! isset( $_SERVER[ $header ] ) ) {
continue;
}

foreach ( explode(
',',
sanitize_text_field( wp_unslash( $_SERVER[ $key ] ) )
sanitize_text_field( wp_unslash( $_SERVER[ $header ] ) )
) as $ip ) {
$ip = trim( $ip ); // just to be safe.

if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE ) !== false ) {
return $ip;
}
}
}

return $ip;
return '';
}

/**
Expand Down