diff options
author | Andrejs Griščenko <andrejs.griscenko@zabbix.com> | 2022-10-24 10:37:28 +0300 |
---|---|---|
committer | Andrejs Griščenko <andrejs.griscenko@zabbix.com> | 2022-10-24 10:56:20 +0300 |
commit | 01e10eb155bd78b2a79e1e458ae25823af96c0c7 (patch) | |
tree | b8449ba79453a7b9ebe45329dd1b7548570914b7 | |
parent | b6cf02f328416b03c0b061a62e6132632d87b603 (diff) |
A.F....... [DEV-2301] fixed spoofing X-Forwarded-For request header allows to access Frontend in maintenace mode
-rw-r--r-- | frontends/php/include/audit.inc.php | 11 | ||||
-rw-r--r-- | frontends/php/include/classes/api/services/CUser.php | 4 | ||||
-rw-r--r-- | frontends/php/include/classes/core/ZBase.php | 5 | ||||
-rw-r--r-- | frontends/php/include/classes/user/CWebUser.php | 9 |
4 files changed, 14 insertions, 15 deletions
diff --git a/frontends/php/include/audit.inc.php b/frontends/php/include/audit.inc.php index 0b644235011..54ce20f4788 100644 --- a/frontends/php/include/audit.inc.php +++ b/frontends/php/include/audit.inc.php @@ -69,12 +69,10 @@ function add_audit($action, $resourcetype, $details) { $details = mb_substr($details, 0, 125).'...'; } - $ip = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; - $values = [ 'userid' => CWebUser::$data['userid'], 'clock' => time(), - 'ip' => substr($ip, 0, 39), + 'ip' => substr(CWebUser::getIp(), 0, 39), 'action' => $action, 'resourcetype' => $resourcetype, 'details' => $details @@ -119,11 +117,10 @@ function add_audit_ext($action, $resourcetype, $resourceid, $resourcename, $tabl ? $resourceid : (CWebUser::$data ? CWebUser::$data['userid'] : null); - $ip = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $values = [ 'userid' => $userid, 'clock' => time(), - 'ip' => substr($ip, 0, 39), + 'ip' => substr(CWebUser::getIp(), 0, 39), 'action' => $action, 'resourcetype' => $resourcetype, 'resourceid' => $resourceid, @@ -164,12 +161,10 @@ function add_audit_details($action, $resourcetype, $resourceid, $resourcename, $ $resourcename = mb_substr($resourcename, 0, 252).'...'; } - $ip = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; - $values = [ 'userid' => $userId, 'clock' => time(), - 'ip' => substr($ip, 0, 39), + 'ip' => substr(CWebUser::getIp(), 0, 39), 'action' => $action, 'resourcetype' => $resourcetype, 'resourceid' => $resourceid, diff --git a/frontends/php/include/classes/api/services/CUser.php b/frontends/php/include/classes/api/services/CUser.php index 7f3293cd987..7cdb3aab962 100644 --- a/frontends/php/include/classes/api/services/CUser.php +++ b/frontends/php/include/classes/api/services/CUser.php @@ -1367,9 +1367,7 @@ class CUser extends CApiService { private function getUserGroupsData($userid) { $usrgrps = [ 'debug_mode' => GROUP_DEBUG_MODE_DISABLED, - 'userip' => (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '') - ? $_SERVER['HTTP_X_FORWARDED_FOR'] - : $_SERVER['REMOTE_ADDR'], + 'userip' => CWebUser::getIp(), 'users_status' => GROUP_STATUS_ENABLED, 'gui_access' => GROUP_GUI_ACCESS_SYSTEM ]; diff --git a/frontends/php/include/classes/core/ZBase.php b/frontends/php/include/classes/core/ZBase.php index 0d60d48fae0..ad2e9699046 100644 --- a/frontends/php/include/classes/core/ZBase.php +++ b/frontends/php/include/classes/core/ZBase.php @@ -282,10 +282,7 @@ class ZBase { require_once $this->getRootDir().'/conf/maintenance.inc.php'; if (defined('ZBX_DENY_GUI_ACCESS')) { - $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR'])) - ? $_SERVER['HTTP_X_FORWARDED_FOR'] - : $_SERVER['REMOTE_ADDR']; - if (!isset($ZBX_GUI_ACCESS_IP_RANGE) || !in_array($user_ip, $ZBX_GUI_ACCESS_IP_RANGE)) { + if (!isset($ZBX_GUI_ACCESS_IP_RANGE) || !in_array(CWebUser::getIp(), $ZBX_GUI_ACCESS_IP_RANGE)) { throw new Exception($_REQUEST['warning_msg']); } } diff --git a/frontends/php/include/classes/user/CWebUser.php b/frontends/php/include/classes/user/CWebUser.php index 5a56200ade5..29f1574c568 100644 --- a/frontends/php/include/classes/user/CWebUser.php +++ b/frontends/php/include/classes/user/CWebUser.php @@ -258,4 +258,13 @@ class CWebUser { public static function getLang() { return (self::$data) ? substr(self::$data['lang'], 0, strpos(self::$data['lang'], '_')) : 'en'; } + + /** + * Get user IP address. + * + * @return string + */ + public static function getIp() { + return $_SERVER['REMOTE_ADDR']; + } } |