A.F....... [DEV-2301] fixed spoofing X-Forwarded-For request header allows to access Frontend in maintenace mode

4 files changed, 14 insertions, 15 deletions

diff --git a/frontends/php/include/audit.inc.php b/frontends/php/include/audit.inc.php
index 0b644235011..54ce20f4788 100644
--- a/frontends/php/include/audit.inc.php
+++ b/frontends/php/include/audit.inc.php
@@ -69,12 +69,10 @@ function add_audit($action, $resourcetype, $details) {
 		$details = mb_substr($details, 0, 125).'...';
 	}
 
-	$ip = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
-
 	$values = [
 		'userid' => CWebUser::$data['userid'],
 		'clock' => time(),
-		'ip' => substr($ip, 0, 39),
+		'ip' => substr(CWebUser::getIp(), 0, 39),
 		'action' => $action,
 		'resourcetype' => $resourcetype,
 		'details' => $details
@@ -119,11 +117,10 @@ function add_audit_ext($action, $resourcetype, $resourceid, $resourcename, $tabl
 		? $resourceid
 		: (CWebUser::$data ? CWebUser::$data['userid'] : null);
 
-	$ip = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
 	$values = [
 		'userid' => $userid,
 		'clock' => time(),
-		'ip' => substr($ip, 0, 39),
+		'ip' => substr(CWebUser::getIp(), 0, 39),
 		'action' => $action,
 		'resourcetype' => $resourcetype,
 		'resourceid' => $resourceid,
@@ -164,12 +161,10 @@ function add_audit_details($action, $resourcetype, $resourceid, $resourcename, $
 		$resourcename = mb_substr($resourcename, 0, 252).'...';
 	}
 
-	$ip = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
-
 	$values = [
 		'userid' => $userId,
 		'clock' => time(),
-		'ip' => substr($ip, 0, 39),
+		'ip' => substr(CWebUser::getIp(), 0, 39),
 		'action' => $action,
 		'resourcetype' => $resourcetype,
 		'resourceid' => $resourceid,
diff --git a/frontends/php/include/classes/api/services/CUser.php b/frontends/php/include/classes/api/services/CUser.php
index 7f3293cd987..7cdb3aab962 100644
--- a/frontends/php/include/classes/api/services/CUser.php
+++ b/frontends/php/include/classes/api/services/CUser.php
@@ -1367,9 +1367,7 @@ class CUser extends CApiService {
 	private function getUserGroupsData($userid) {
 		$usrgrps = [
 			'debug_mode' => GROUP_DEBUG_MODE_DISABLED,
-			'userip' => (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '')
-				? $_SERVER['HTTP_X_FORWARDED_FOR']
-				: $_SERVER['REMOTE_ADDR'],
+			'userip' => CWebUser::getIp(),
 			'users_status' => GROUP_STATUS_ENABLED,
 			'gui_access' => GROUP_GUI_ACCESS_SYSTEM
 		];
diff --git a/frontends/php/include/classes/core/ZBase.php b/frontends/php/include/classes/core/ZBase.php
index 0d60d48fae0..ad2e9699046 100644
--- a/frontends/php/include/classes/core/ZBase.php
+++ b/frontends/php/include/classes/core/ZBase.php
@@ -282,10 +282,7 @@ class ZBase {
 		require_once $this->getRootDir().'/conf/maintenance.inc.php';
 
 		if (defined('ZBX_DENY_GUI_ACCESS')) {
-			$user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))
-					? $_SERVER['HTTP_X_FORWARDED_FOR']
-					: $_SERVER['REMOTE_ADDR'];
-			if (!isset($ZBX_GUI_ACCESS_IP_RANGE) || !in_array($user_ip, $ZBX_GUI_ACCESS_IP_RANGE)) {
+			if (!isset($ZBX_GUI_ACCESS_IP_RANGE) || !in_array(CWebUser::getIp(), $ZBX_GUI_ACCESS_IP_RANGE)) {
 				throw new Exception($_REQUEST['warning_msg']);
 			}
 		}
diff --git a/frontends/php/include/classes/user/CWebUser.php b/frontends/php/include/classes/user/CWebUser.php
index 5a56200ade5..29f1574c568 100644
--- a/frontends/php/include/classes/user/CWebUser.php
+++ b/frontends/php/include/classes/user/CWebUser.php
@@ -258,4 +258,13 @@ class CWebUser {
 	public static function getLang() {
 		return (self::$data) ? substr(self::$data['lang'], 0, strpos(self::$data['lang'], '_')) : 'en';
 	}
+
+	/**
+	 * Get user IP address.
+	 *
+	 * @return string
+	 */
+	public static function getIp() {
+		return $_SERVER['REMOTE_ADDR'];
+	}
 }