From 1e3e58aeed66d73292c529eb2c3110408ae83e71 Mon Sep 17 00:00:00 2001 From: Roman Kelesidis Date: Tue, 19 Aug 2025 11:24:23 +0300 Subject: [PATCH] feat: Enhance client IP detection with trusted proxy validation (#2085) * feat: Enhance client IP detection with trusted proxy validation * Update common.php * Update composer.lock --- common.php | 39 +++++++++++++-- composer.lock | 129 +++++++++++++++++++++++++++++--------------------- 2 files changed, 111 insertions(+), 57 deletions(-) diff --git a/common.php b/common.php index a455a7de2..333d2e821 100644 --- a/common.php +++ b/common.php @@ -42,12 +42,43 @@ header('X-Frame-Options: SAMEORIGIN'); date_default_timezone_set('UTC'); // Set remote address -$allowedCDNs = ['HTTP_X_FORWARDED_FOR', 'HTTP_FASTLY_CLIENT_IP', 'HTTP_CF_CONNECTING_IP']; -foreach ($allowedCDNs as $allowedCDN) { - if (isset($_SERVER[$allowedCDN]) && filter_var($_SERVER[$allowedCDN], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { - $_SERVER['REMOTE_ADDR'] = $_SERVER[$allowedCDN]; +$trustedProxies = [ + // Optional trusted proxy validation (empty array = disabled) + // '127.0.0.1' +]; + +$allowedCDNs = [ + 'HTTP_CF_CONNECTING_IP', + 'HTTP_FASTLY_CLIENT_IP', + 'HTTP_X_REAL_IP', + 'HTTP_X_FORWARDED_FOR', + // Add your custom headers here if needed + // Example: 'HTTP_TRUE_CLIENT_IP', // Akamai + // Example: 'HTTP_X_CLIENT_IP', // Custom proxy + // Example: 'HTTP_INCAP_CLIENT_IP', // Incapsula +]; + +if (empty($trustedProxies) || in_array($_SERVER['REMOTE_ADDR'], $trustedProxies)) { + foreach ($allowedCDNs as $header) { + if (!isset($_SERVER[$header])) { + continue; + } + + if ($header === 'HTTP_X_FORWARDED_FOR') { + // Handle X-Forwarded-For which may contain multiple IPs + $ips = explode(',', $_SERVER[$header]); + $clientIP = trim($ips[0]); + } else { + $clientIP = $_SERVER[$header]; + } + + if (filter_var($clientIP, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { + $_SERVER['REMOTE_ADDR'] = $clientIP; + break; + } } } +unset($trustedProxies, $clientIP, $allowedCDNs); // Get all constants require_once BB_PATH . '/library/defines.php'; diff --git a/composer.lock b/composer.lock index 5ce29ce7c..cfca5f6b3 100644 --- a/composer.lock +++ b/composer.lock @@ -80,20 +80,20 @@ }, { "name": "arokettu/is-resource", - "version": "1.0.4", + "version": "1.0.5", "source": { "type": "git", "url": "https://github.com/arokettu/is-resource.git", - "reference": "6a4966bf4608c69d20b7bf01670b49901a51eb9d" + "reference": "17d3e955140b23c53c4d47d779f1e443d492ffad" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/arokettu/is-resource/zipball/6a4966bf4608c69d20b7bf01670b49901a51eb9d", - "reference": "6a4966bf4608c69d20b7bf01670b49901a51eb9d", + "url": "https://api.github.com/repos/arokettu/is-resource/zipball/17d3e955140b23c53c4d47d779f1e443d492ffad", + "reference": "17d3e955140b23c53c4d47d779f1e443d492ffad", "shasum": "" }, "require": { - "php": ">= 5.3 < 8.5" + "php": ">=5.3 <8.6" }, "type": "library", "autoload": { @@ -137,7 +137,7 @@ "issues": "https://gitlab.com/sandfox/is-resource/-/issues", "source": "https://gitlab.com/sandfox/is-resource" }, - "time": "2024-08-27T04:34:45+00:00" + "time": "2025-08-15T16:09:36+00:00" }, { "name": "arokettu/monsterid", @@ -145,12 +145,12 @@ "source": { "type": "git", "url": "https://github.com/arokettu/monsterid.git", - "reference": "4e7484a593c42eba960ee555877dd9b26577fe8a" + "reference": "75385558ba1aef68f9bd969855054070a19ebffc" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/arokettu/monsterid/zipball/4e7484a593c42eba960ee555877dd9b26577fe8a", - "reference": "4e7484a593c42eba960ee555877dd9b26577fe8a", + "url": "https://api.github.com/repos/arokettu/monsterid/zipball/75385558ba1aef68f9bd969855054070a19ebffc", + "reference": "75385558ba1aef68f9bd969855054070a19ebffc", "shasum": "" }, "require": { @@ -215,7 +215,7 @@ "issues": "https://gitlab.com/sandfox/monsterid/-/issues", "source": "https://gitlab.com/sandfox/monsterid" }, - "time": "2025-04-03T13:37:00+00:00" + "time": "2025-08-15T16:45:09+00:00" }, { "name": "arokettu/random-polyfill", @@ -749,16 +749,16 @@ }, { "name": "filp/whoops", - "version": "2.18.3", + "version": "2.18.4", "source": { "type": "git", "url": "https://github.com/filp/whoops.git", - "reference": "59a123a3d459c5a23055802237cb317f609867e5" + "reference": "d2102955e48b9fd9ab24280a7ad12ed552752c4d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/filp/whoops/zipball/59a123a3d459c5a23055802237cb317f609867e5", - "reference": "59a123a3d459c5a23055802237cb317f609867e5", + "url": "https://api.github.com/repos/filp/whoops/zipball/d2102955e48b9fd9ab24280a7ad12ed552752c4d", + "reference": "d2102955e48b9fd9ab24280a7ad12ed552752c4d", "shasum": "" }, "require": { @@ -808,7 +808,7 @@ ], "support": { "issues": "https://github.com/filp/whoops/issues", - "source": "https://github.com/filp/whoops/tree/2.18.3" + "source": "https://github.com/filp/whoops/tree/2.18.4" }, "funding": [ { @@ -816,7 +816,7 @@ "type": "github" } ], - "time": "2025-06-16T00:02:10+00:00" + "time": "2025-08-08T12:00:00+00:00" }, { "name": "gemorroj/m3u-parser", @@ -2848,16 +2848,16 @@ }, { "name": "symfony/event-dispatcher", - "version": "v6.4.13", + "version": "v6.4.24", "source": { "type": "git", "url": "https://github.com/symfony/event-dispatcher.git", - "reference": "0ffc48080ab3e9132ea74ef4e09d8dcf26bf897e" + "reference": "307a09d8d7228d14a05e5e05b95fffdacab032b2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/0ffc48080ab3e9132ea74ef4e09d8dcf26bf897e", - "reference": "0ffc48080ab3e9132ea74ef4e09d8dcf26bf897e", + "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/307a09d8d7228d14a05e5e05b95fffdacab032b2", + "reference": "307a09d8d7228d14a05e5e05b95fffdacab032b2", "shasum": "" }, "require": { @@ -2908,7 +2908,7 @@ "description": "Provides tools that allow your application components to communicate with each other by dispatching events and listening to them", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/event-dispatcher/tree/v6.4.13" + "source": "https://github.com/symfony/event-dispatcher/tree/v6.4.24" }, "funding": [ { @@ -2919,12 +2919,16 @@ "url": "https://github.com/fabpot", "type": "github" }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, { "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "type": "tidelift" } ], - "time": "2024-09-25T14:18:03+00:00" + "time": "2025-07-10T08:14:14+00:00" }, { "name": "symfony/event-dispatcher-contracts", @@ -3004,16 +3008,16 @@ }, { "name": "symfony/filesystem", - "version": "v6.4.13", + "version": "v6.4.24", "source": { "type": "git", "url": "https://github.com/symfony/filesystem.git", - "reference": "4856c9cf585d5a0313d8d35afd681a526f038dd3" + "reference": "75ae2edb7cdcc0c53766c30b0a2512b8df574bd8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/filesystem/zipball/4856c9cf585d5a0313d8d35afd681a526f038dd3", - "reference": "4856c9cf585d5a0313d8d35afd681a526f038dd3", + "url": "https://api.github.com/repos/symfony/filesystem/zipball/75ae2edb7cdcc0c53766c30b0a2512b8df574bd8", + "reference": "75ae2edb7cdcc0c53766c30b0a2512b8df574bd8", "shasum": "" }, "require": { @@ -3050,7 +3054,7 @@ "description": "Provides basic utilities for the filesystem", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/filesystem/tree/v6.4.13" + "source": "https://github.com/symfony/filesystem/tree/v6.4.24" }, "funding": [ { @@ -3061,25 +3065,29 @@ "url": "https://github.com/fabpot", "type": "github" }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, { "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "type": "tidelift" } ], - "time": "2024-10-25T15:07:50+00:00" + "time": "2025-07-10T08:14:14+00:00" }, { "name": "symfony/finder", - "version": "v6.4.17", + "version": "v6.4.24", "source": { "type": "git", "url": "https://github.com/symfony/finder.git", - "reference": "1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7" + "reference": "73089124388c8510efb8d2d1689285d285937b08" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/finder/zipball/1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7", - "reference": "1d0e8266248c5d9ab6a87e3789e6dc482af3c9c7", + "url": "https://api.github.com/repos/symfony/finder/zipball/73089124388c8510efb8d2d1689285d285937b08", + "reference": "73089124388c8510efb8d2d1689285d285937b08", "shasum": "" }, "require": { @@ -3114,7 +3122,7 @@ "description": "Finds files and directories via an intuitive fluent interface", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/finder/tree/v6.4.17" + "source": "https://github.com/symfony/finder/tree/v6.4.24" }, "funding": [ { @@ -3125,25 +3133,29 @@ "url": "https://github.com/fabpot", "type": "github" }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, { "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "type": "tidelift" } ], - "time": "2024-12-29T13:51:37+00:00" + "time": "2025-07-15T12:02:45+00:00" }, { "name": "symfony/mailer", - "version": "v6.4.23", + "version": "v6.4.24", "source": { "type": "git", "url": "https://github.com/symfony/mailer.git", - "reference": "a480322ddf8e54de262c9bca31fdcbe26b553de5" + "reference": "b4d7fa2c69641109979ed06e98a588d245362062" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/mailer/zipball/a480322ddf8e54de262c9bca31fdcbe26b553de5", - "reference": "a480322ddf8e54de262c9bca31fdcbe26b553de5", + "url": "https://api.github.com/repos/symfony/mailer/zipball/b4d7fa2c69641109979ed06e98a588d245362062", + "reference": "b4d7fa2c69641109979ed06e98a588d245362062", "shasum": "" }, "require": { @@ -3194,7 +3206,7 @@ "description": "Helps sending emails", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/mailer/tree/v6.4.23" + "source": "https://github.com/symfony/mailer/tree/v6.4.24" }, "funding": [ { @@ -3205,25 +3217,29 @@ "url": "https://github.com/fabpot", "type": "github" }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, { "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "type": "tidelift" } ], - "time": "2025-06-26T21:24:02+00:00" + "time": "2025-07-24T08:25:04+00:00" }, { "name": "symfony/mime", - "version": "v6.4.21", + "version": "v6.4.24", "source": { "type": "git", "url": "https://github.com/symfony/mime.git", - "reference": "fec8aa5231f3904754955fad33c2db50594d22d1" + "reference": "664d5e844a2de5e11c8255d0aef6bc15a9660ac7" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/mime/zipball/fec8aa5231f3904754955fad33c2db50594d22d1", - "reference": "fec8aa5231f3904754955fad33c2db50594d22d1", + "url": "https://api.github.com/repos/symfony/mime/zipball/664d5e844a2de5e11c8255d0aef6bc15a9660ac7", + "reference": "664d5e844a2de5e11c8255d0aef6bc15a9660ac7", "shasum": "" }, "require": { @@ -3279,7 +3295,7 @@ "mime-type" ], "support": { - "source": "https://github.com/symfony/mime/tree/v6.4.21" + "source": "https://github.com/symfony/mime/tree/v6.4.24" }, "funding": [ { @@ -3290,12 +3306,16 @@ "url": "https://github.com/fabpot", "type": "github" }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, { "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "type": "tidelift" } ], - "time": "2025-04-27T13:27:38+00:00" + "time": "2025-07-15T12:02:45+00:00" }, { "name": "symfony/polyfill", @@ -3639,16 +3659,16 @@ "packages-dev": [ { "name": "symfony/var-dumper", - "version": "v6.4.23", + "version": "v6.4.24", "source": { "type": "git", "url": "https://github.com/symfony/var-dumper.git", - "reference": "d55b1834cdbfcc31bc2cd7e095ba5ed9a88f6600" + "reference": "aa29484ce0544bd69fa9f0df902e5ed7b7fe5034" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/var-dumper/zipball/d55b1834cdbfcc31bc2cd7e095ba5ed9a88f6600", - "reference": "d55b1834cdbfcc31bc2cd7e095ba5ed9a88f6600", + "url": "https://api.github.com/repos/symfony/var-dumper/zipball/aa29484ce0544bd69fa9f0df902e5ed7b7fe5034", + "reference": "aa29484ce0544bd69fa9f0df902e5ed7b7fe5034", "shasum": "" }, "require": { @@ -3660,7 +3680,6 @@ "symfony/console": "<5.4" }, "require-dev": { - "ext-iconv": "*", "symfony/console": "^5.4|^6.0|^7.0", "symfony/error-handler": "^6.3|^7.0", "symfony/http-kernel": "^5.4|^6.0|^7.0", @@ -3704,7 +3723,7 @@ "dump" ], "support": { - "source": "https://github.com/symfony/var-dumper/tree/v6.4.23" + "source": "https://github.com/symfony/var-dumper/tree/v6.4.24" }, "funding": [ { @@ -3715,12 +3734,16 @@ "url": "https://github.com/fabpot", "type": "github" }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, { "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", "type": "tidelift" } ], - "time": "2025-06-27T15:05:27+00:00" + "time": "2025-07-29T18:40:01+00:00" } ], "aliases": [],