Check XFF in addition to REMOTE_ADDR. Do not disclose IP in error mes…

…sage

if not in whitelist.

Fixes nilsteampassnet#1559.

api/functions.php

@@ -17,6 +17,21 @@
 require_once "../includes/config/include.php";
 require_once "../sources/main.functions.php";
 
+function get_ip() {
+    if ( function_exists( 'apache_request_headers' ) ) {
+        $headers = apache_request_headers();
+    } else {
+        $headers = $_SERVER;
+    }
+    if ( array_key_exists( 'X-Forwarded-For', $headers ) && filter_var( $headers['X-Forwarded-For'], FILTER_VALIDATE_IP ) ) {
+        $the_ip = $headers['X-Forwarded-For'];
+    } elseif ( array_key_exists( 'HTTP_X_FORWARDED_FOR', $headers ) && filter_var( $headers['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP ) ) {
+        $the_ip = $headers['HTTP_X_FORWARDED_FOR'];
+    } else {
+        $the_ip = filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP );
+    }
+    return $the_ip;
+}
 
 function teampass_api_enabled() {
     teampass_connect();
@@ -31,7 +46,7 @@ function teampass_api_enabled() {
 function teampass_whitelist() {
     teampass_connect();
     $apiip_pool = teampass_get_ips();
-    if (count($apiip_pool) > 0 && array_search($_SERVER['REMOTE_ADDR'], $apiip_pool) === false) {
+    if (count($apiip_pool) > 0 && array_search(get_ip(), $apiip_pool) === false) {
         rest_error('IPWHITELIST');
     }
 }
@@ -1327,7 +1342,7 @@ function rest_error ($type,$detail = 'N/A') {
             $message = Array('err' => 'No results');
             break;
         case 'IPWHITELIST':
-            $message = Array('err' => 'Ip address '.$_SERVER['REMOTE_ADDR'].' not allowed.');
+            $message = Array('err' => 'Ip address not allowed.');
             header('HTTP/1.1 405 Method Not Allowed');
             break;
         case 'MYSQLERR':