php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-08 17:07:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix #17573: Request::getUserIP() security fix for the case when Request::$trustedHost and Request::$ipHeaders are used

Browse Source
This commit is contained in:
Somogyi Márton
2019-10-03 13:56:20 +02:00
committed by Alexander Makarov
parent ce0c7ad096
commit c87855b31c
4 changed files with 101 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
framework/CHANGELOG.md
View File

@ -4,7 +4,7 @@ Yii Framework 2 Change Log
2.0.28 under development
------------------------
- no changes in this release.
- Bug #17573: `Request::getUserIP()` security fix for the case when `Request::$trustedHost` and `Request::$ipHeaders` are used (kamarton)
2.0.27 September 18, 2019

2
framework/validators/IpValidator.php
View File

@ -247,7 +247,7 @@ class IpValidator extends Validator
*
* @property array the IPv4 or IPv6 ranges that are allowed or forbidden.
* See [[setRanges()]] for detailed description.
* @param array $ranges the IPv4 or IPv6 ranges that are allowed or forbidden.
* @param array|string $ranges the IPv4 or IPv6 ranges that are allowed or forbidden.
*
* When the array is empty, or the option not set, all IP addresses are allowed.
*

76
framework/web/Request.php
View File

@ -290,6 +290,23 @@ class Request extends \yii\base\Request
* @since 2.0.13
*/
protected function filterHeaders(HeaderCollection $headerCollection)
{
$trustedHeaders = $this->getTrustedIpHeaders();
// remove all secure headers unless they are trusted
foreach ($this->secureHeaders as $secureHeader) {
if (!in_array($secureHeader, $trustedHeaders)) {
$headerCollection->remove($secureHeader);
}
}
}
/**
* Trusted Ip headers according to the [[trustedHosts]].
* @return array
* @since 2.0.28
*/
protected function getTrustedIpHeaders()
{
// do not trust any of the [[secureHeaders]] by default
$trustedHeaders = [];
@ -310,13 +327,7 @@ class Request extends \yii\base\Request
}
}
}
// filter all secure headers unless they are trusted
foreach ($this->secureHeaders as $secureHeader) {
if (!in_array($secureHeader, $trustedHeaders)) {
$headerCollection->remove($secureHeader);
}
}
return $trustedHeaders;
}
/**
@ -1131,15 +1142,62 @@ class Request extends \yii\base\Request
*/
public function getUserIP()
{
foreach ($this->ipHeaders as $ipHeader) {
foreach($this->getTrustedIpHeaders() as $ipHeader) {
if ($this->headers->has($ipHeader)) {
return trim(explode(',', $this->headers->get($ipHeader))[0]);
$ip = $this->getUserIpFromIpHeader($this->headers->get($ipHeader));
if ($ip !== null) {
return $ip;
}
}
}
return $this->getRemoteIP();
}
/**
* Return user IP's from IP header.
*
* @param string $ips comma separated IP list
* @return string|null IP as string. Null is returned if IP can not be determined from header.
* @see $getUserHost
* @see $ipHeader
* @see $trustedHeaders
* @since 2.0.28
*/
protected function getUserIpFromIpHeader($ips)
{
$ips = trim($ips);
if ($ips === '') {
return null;
}
$ips = preg_split('/\s*,\s*/', $ips, -1, PREG_SPLIT_NO_EMPTY);
krsort($ips);
$validator = $this->getIpValidator();
$resultIp = null;
foreach ($ips as $ip) {
$validator->setRanges('any');
if (!$validator->validate($ip) /* checking IP format */) {
break;
}
$resultIp = $ip;
$isTrusted = false;
foreach ($this->trustedHosts as $trustedCidr => $trustedCidrOrHeaders) {
if (!is_array($trustedCidrOrHeaders)) {
$trustedCidr = $trustedCidrOrHeaders;
}
$validator->setRanges($trustedCidr);
if ($validator->validate($ip) /* checking trusted range */) {
$isTrusted = true;
break;
}
}
if (!$isTrusted) {
break;
}
}
return $resultIp;
}
/**
* Returns the user host name.
* The HOST is determined using headers and / or `$_SERVER` variables.