aboutsummaryrefslogtreecommitdiff
path: root/lib/lib_rss.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/lib_rss.php')
-rw-r--r--lib/lib_rss.php40
1 files changed, 31 insertions, 9 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index ec00513e2..9d995c6d6 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -653,21 +653,43 @@ function checkCIDR(string $ip, string $range): bool {
}
/**
- * Check if the client is allowed to send unsafe headers
- * This uses the REMOTE_ADDR header to determine the sender’s IP
- * and the configuration option "trusted_sources" to get an array of the authorized ranges
- *
+ * Use CONN_REMOTE_ADDR (if available, to be robust even when using Apache mod_remoteip) or REMOTE_ADDR environment variable to determine the connection IP.
+ */
+function connectionRemoteAddress(): string {
+ $remoteIp = $_SERVER['CONN_REMOTE_ADDR'] ?? '';
+ if ($remoteIp == '') {
+ $remoteIp = $_SERVER['REMOTE_ADDR'] ?? '';
+ }
+ if ($remoteIp == 0) {
+ $remoteIp = '';
+ }
+ return $remoteIp;
+}
+
+/**
+ * Check if the client (e.g. last proxy) is allowed to send unsafe headers.
+ * This uses the `TRUSTED_PROXY` environment variable or the `trusted_sources` configuration option to get an array of the authorized ranges,
+ * The connection IP is obtained from the `CONN_REMOTE_ADDR` (if available, to be robust even when using Apache mod_remoteip) or `REMOTE_ADDR` environment variables.
* @return bool, true if the sender’s IP is in one of the ranges defined in the configuration, else false
*/
function checkTrustedIP(): bool {
if (FreshRSS_Context::$system_conf === null) {
return false;
}
- if (!empty($_SERVER['REMOTE_ADDR'])) {
- foreach (FreshRSS_Context::$system_conf->trusted_sources as $cidr) {
- if (checkCIDR($_SERVER['REMOTE_ADDR'], $cidr)) {
- return true;
- }
+ $remoteIp = connectionRemoteAddress();
+ if ($remoteIp === '') {
+ return false;
+ }
+ $trusted = getenv('TRUSTED_PROXY');
+ if ($trusted != 0 && is_string($trusted)) {
+ $trusted = preg_split('/\s+/', $trusted, -1, PREG_SPLIT_NO_EMPTY);
+ }
+ if (empty($trusted)) {
+ $trusted = FreshRSS_Context::$system_conf->trusted_sources;
+ }
+ foreach (FreshRSS_Context::$system_conf->trusted_sources as $cidr) {
+ if (checkCIDR($remoteIp, $cidr)) {
+ return true;
}
}
return false;
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 13:21:34 +0000