Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Add header_ips config option and fix CI_Input::ip_address() (issue #907) #910

Closed
wants to merge 26 commits into from

1 participant

@narfbg
Owner

Changes include:

  • Fixed issue #907 (add $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] to accepted client IP headers).
  • Fixed auto-trusting of $_SERVER['HTTP_CLIENT_IP'] - this shouldn't happen unless specifically enabled.
  • Changed handling of $config['proxy_ips'] - array() values are now also accepted as well as strings. String lists should probably be deprecated - any thoughts?
  • Added $config['header_ips'] to enable/disable the use of HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP, HTTP_X_CLUSTER_CLIENT_IP independently from $config['proxy_ips'] (defaults to FALSE).
@narfbg narfbg closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 10, 2012
  1. @narfbg
  2. @narfbg
  3. @narfbg
  4. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Jan 20, 2012
  1. @narfbg

    Replace AND with &&

    narfbg authored
  2. @narfbg
Commits on Jan 24, 2012
  1. @narfbg
Commits on Feb 1, 2012
  1. @narfbg

    Merge upstream

    narfbg authored
Commits on Feb 2, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Feb 6, 2012
  1. @narfbg
Commits on Feb 8, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Feb 10, 2012
  1. @narfbg
Commits on Feb 14, 2012
  1. @narfbg
Commits on Feb 16, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Feb 22, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Feb 28, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Feb 29, 2012
  1. @narfbg
Commits on Mar 1, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
  2. @narfbg

    Merge upstream branch

    narfbg authored
  3. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Mar 2, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Mar 3, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Mar 9, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Mar 10, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on Mar 20, 2012
  1. @narfbg

    Merge upstream branch

    narfbg authored
Commits on May 2, 2012
  1. @narfbg
This page is out of date. Refresh to see the latest.
View
130 application/config/config.php
@@ -37,7 +37,6 @@
|
| If this is not set then CodeIgniter will guess the protocol, domain and
| path to your installation.
-|
*/
$config['base_url'] = '';
@@ -49,7 +48,6 @@
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
-|
*/
$config['index_page'] = 'index.php';
@@ -59,7 +57,7 @@
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
-| URI string. The default setting of 'AUTO' works for most servers.
+| URI string. The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO' Default - auto detects
@@ -67,7 +65,6 @@
| 'QUERY_STRING' Uses the QUERY_STRING
| 'REQUEST_URI' Uses the REQUEST_URI
| 'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO
-|
*/
$config['uri_protocol'] = 'AUTO';
@@ -81,7 +78,6 @@
|
| http://codeigniter.com/user_guide/general/urls.html
*/
-
$config['url_suffix'] = '';
/*
@@ -92,7 +88,6 @@
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
-|
*/
$config['language'] = 'english';
@@ -105,7 +100,6 @@
| that require a character set to be provided.
|
| See http://php.net/htmlspecialchars for a list of supported charsets.
-|
*/
$config['charset'] = 'UTF-8';
@@ -115,47 +109,41 @@
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
-| setting this variable to TRUE (boolean). See the user guide for details.
-|
+| setting this variable to TRUE (boolean). See the user guide for details.
*/
$config['enable_hooks'] = FALSE;
-
/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
-| native libraries. For more information please see the user guide:
+| native libraries. For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
-|
*/
$config['subclass_prefix'] = 'MY_';
-
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
-| within your URLs. When someone tries to submit a URL with disallowed
+| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
-| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
+| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
-|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
-
/*
|--------------------------------------------------------------------------
| Enable Query Strings
@@ -164,7 +152,7 @@
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
-| By default CodeIgniter enables access to the $_GET array. If for some
+| By default CodeIgniter enables access to the $_GET array. If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
@@ -179,12 +167,11 @@
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
-|
*/
-$config['allow_get_array'] = TRUE;
+$config['allow_get_array'] = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
-$config['function_trigger'] = 'm';
+$config['function_trigger'] = 'm';
$config['directory_trigger'] = 'd'; // experimental not currently in use
/*
@@ -193,7 +180,7 @@
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
-| determine what gets logged. Threshold options are:
+| determine what gets logged.
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
@@ -204,12 +191,11 @@
| 4 = All Messages
|
| You can also pass in a array with threshold levels to show individual error types
-|
+|
| array(2) = Debug Messages, without Error Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
-|
*/
$config['log_threshold'] = 0;
@@ -220,7 +206,6 @@
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ folder. Use a full server path with trailing slash.
-|
*/
$config['log_path'] = '';
@@ -231,7 +216,6 @@
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
-|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';
@@ -242,7 +226,6 @@
|
| Leave this BLANK unless you would like to set something other than the default
| system/cache/ folder. Use a full server path with trailing slash.
-|
*/
$config['cache_path'] = '';
@@ -253,10 +236,9 @@
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key. See the user guide for info.
-|
+|
| http://codeigniter.com/user_guide/libraries/encryption.html
| http://codeigniter.com/user_guide/libraries/sessions.html
-|
*/
$config['encryption_key'] = '';
@@ -266,17 +248,17 @@
|--------------------------------------------------------------------------
|
| 'sess_cookie_name' = the name you want for the cookie
-| 'sess_expiration' = the number of SECONDS you want the session to last.
-| by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
+| 'sess_expiration' = the number of SECONDS you want the session to last.
+| by default sessions last 7200 seconds (two hours).
+| Set to zero for no expiration.
| 'sess_expire_on_close' = Whether to cause the session to expire automatically
-| when the browser window is closed
+| when the browser window is closed
| 'sess_encrypt_cookie' = Whether to encrypt the cookie
| 'sess_use_database' = Whether to save the session data to a database
-| 'sess_table_name' = The name of the session database table
-| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
+| 'sess_table_name' = The name of the session database table
+| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent' = Whether to match the User Agent when reading the session data
| 'sess_time_to_update' = how many seconds between CI refreshing Session Information
-|
*/
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
@@ -293,16 +275,15 @@
| Cookie Related Variables
|--------------------------------------------------------------------------
|
-| 'cookie_prefix' = Set a prefix if you need to avoid collisions
-| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
-| 'cookie_path' = Typically will be a forward slash
-| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
-| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
-|
+| 'cookie_prefix' = Set a prefix if you need to avoid collisions
+| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
+| 'cookie_path' = Typically will be a forward slash
+| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
+| 'cookie_httponly' = Cookies will only be accessible via HTTP(S) (no javascript)
*/
-$config['cookie_prefix'] = "";
-$config['cookie_domain'] = "";
-$config['cookie_path'] = "/";
+$config['cookie_prefix'] = '';
+$config['cookie_domain'] = '';
+$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;
@@ -312,8 +293,7 @@
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
-| COOKIE data is encountered
-|
+| COOKIE data is encountered.
*/
$config['global_xss_filtering'] = FALSE;
@@ -343,17 +323,16 @@
| Output Compression
|--------------------------------------------------------------------------
|
-| Enables Gzip output compression for faster page loads. When enabled,
+| Enables Gzip output compression for faster page loads. When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
-| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
+| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
-| even be a line of whitespace at the end of one of your scripts. For
+| even be a line of whitespace at the end of one of your scripts. For
| compression to work, nothing can be sent before the output buffer is called
-| by the output class. Do not 'echo' any values with compression enabled.
-|
+| by the output class. Do not 'echo' any values with compression enabled.
*/
$config['compress_output'] = FALSE;
@@ -366,11 +345,9 @@
| your server's local time as the master 'now' reference, or convert it to
| GMT. See the 'date helper' page of the user guide for information
| regarding date handling.
-|
*/
$config['time_reference'] = 'local';
-
/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
@@ -378,25 +355,46 @@
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
-| in your view files. Options are TRUE or FALSE (boolean)
-|
+| in your view files. Options are TRUE or FALSE (boolean)
*/
$config['rewrite_short_tags'] = FALSE;
-
/*
|--------------------------------------------------------------------------
-| Reverse Proxy IPs
-|--------------------------------------------------------------------------
-|
-| If your server is behind a reverse proxy, you must whitelist the proxy IP
-| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
-| header in order to properly identify the visitor's IP address.
-| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
-|
+| Override REMOTE_ADDR
+|--------------------------------------------------------------------------
+|
+| Those are useful if you have clients accessing your application through a
+| proxy or if the server itself is behind a firewall/proxy. In those cases
+| REMOTE_ADDR can appear to always be the same for either a specific group
+| of clients or all of them.
+|
+| Headers used to get the client IP are (if available; first to last order):
+| - HTTP_X_FORWARDED_FOR
+| - HTTP_CLIENT_IP
+| - HTTP_X_CLUSTER_CLIENT_IP
+|
+| 'proxy_ips' = Specifies a whilelist of trusted proxy IP addresses for
+| which to enable overriding. Mostly useful if you have a
+| group of clients using a trusted proxy. This setting
+| doesn't depend on 'header_ips' and will work even if it's
+| disabled. Can be set to:
+| (array) each element must be a valid IP address
+ (this is preferred over string values)
+| e.g. array('10.0.1.200', '10.0.1.201')
+| (string) a comma-separated list of IP addresses
+| e.g. '10.0.1.200,10.0.1.201'
+|
+| 'header_ips' = Whether to always enable overriding of REMOTE_ADDR.
+| TRUE to enable
+| FALSE to disable (default)
+|
+| WARNING: Enabling 'header_ips' causes a potential
+| security risk! Do NOT set to TRUE unless you
+| are certain that you need to!
*/
-$config['proxy_ips'] = '';
-
+$config['proxy_ips'] = array();
+$config['header_ips'] = FALSE;
/* End of file config.php */
/* Location: ./application/config/config.php */
View
50 system/core/Input.php
@@ -322,28 +322,35 @@ public function ip_address()
return $this->ip_address;
}
- if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
+ // Decide wether to trust client IP headers
+ $override = (bool) config_item('header_ips');
+ if ($override === FALSE)
{
- $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
- $proxies = is_array($proxies) ? $proxies : array($proxies);
-
- $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
- }
- elseif ( ! $this->server('HTTP_CLIENT_IP') && $this->server('REMOTE_ADDR'))
- {
- $this->ip_address = $_SERVER['REMOTE_ADDR'];
- }
- elseif ($this->server('REMOTE_ADDR') && $this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
+ if ($this->server('REMOTE_ADDR'))
+ {
+ $proxy_ips = config_item('proxy_ips');
+ // 'proxy_ips' can be either an array() or a (string) comma-separated list
+ if ((is_array($proxy_ips) && in_array($this->server('REMOTE_ADDR'), $proxy_ips))
+ OR (is_string($proxy_ips) && preg_match('/^(.+,\s*)?'.preg_quote($this->server['REMOTE_ADDR']).'(\s*,.+)?$/', $proxy_ips)))
+ {
+ $override = TRUE;
+ }
+ }
+ else
+ {
+ $override = TRUE;
+ }
}
- elseif ($this->server('HTTP_CLIENT_IP'))
+
+ if ($override === FALSE)
{
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
+ $this->ip_address = $this->server('REMOTE_ADDR');
}
- elseif ($this->server('HTTP_X_FORWARDED_FOR'))
+ elseif ($ip = $this->server('HTTP_X_FORWARDED_FOR')
+ OR $ip = $this->server('HTTP_CLIENT_IP')
+ OR $ip = $this->server('HTTP_X_CLUSTER_CLIENT_IP'))
{
- $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
+ $this->ip_address = $ip;
}
if ($this->ip_address === FALSE)
@@ -357,12 +364,9 @@ public function ip_address()
$this->ip_address = trim(end($x));
}
- if ( ! $this->valid_ip($this->ip_address))
- {
- return $this->ip_address = '0.0.0.0';
- }
-
- return $this->ip_address;
+ return ($this->valid_ip($this->ip_address))
+ ? $this->ip_address
+ : $this->ip_address = '0.0.0.0';
}
// --------------------------------------------------------------------
View
4 user_guide_src/source/changelog.rst
@@ -146,6 +146,8 @@ Release Date: Not Released
- Added support for HTTP-Only cookies with new config option ``cookie_httponly`` (default FALSE).
- Renamed method _call_hook() to call_hook() in the :doc:`Hooks Library <general/hooks>`.
- Added get_content_type() method to the :doc:`Output Library <libraries/output>`.
+ - Added $config['header_ips'] to enable/disable trusting custom IP headers (HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP, HTTP_CLUSTER_CLIENT_IP) in CI_Input::ip_address().
+ - Changed handling of $config['proxy_ips'] to also accept arrays instead of only strings.
Bug fixes for 3.0
------------------
@@ -214,6 +216,8 @@ Bug fixes for 3.0
- Fixed a bug in SQLSRV's delete() method where like() and limit() conditions were ignored.
- Fixed a bug (#1265) - Database connections were always closed, regardless of the 'pconnect' option value.
- Fixed a bug (#128) - :doc:`Language Library <libraries/language>` did not correctly keep track of loaded language files.
+- Fixed a bug (#907) - :doc:`Input Library <libraries/input>` did not check for HTTP_X_CLUSTER_CLIENT_IP.
+- Fixed a bug in CI_Input::ip_address() where if HTTP_CLIENT_IP was automatically trusted, if available.
Version 2.1.1
=============
Something went wrong with that request. Please try again.