Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
In uc_clickandbuy.module there is the following check:
if (substr($_SERVER["REMOTE_ADDR"], 0, 11) != "217.22.128.") {
$error = t('Invalid EMS PUSH remote IP @ip.', array('@ip' => $_SERVER["REMOTE_ADDR"]));
}
else ...
My reversed proxy (running apache2.2 that needs slowloris protection) receives the soap request from clickandbuy and sends it to apache which errors because the REMOTE_ADDR header == 127.0.0.1.
The check should also be on the headers: HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR. Read all about it!
So im suggesting this code:
function getClassCIp($ip) {
return substr($ip, 0, 11)
}
function checkIp($clickAndBuyIp) {
if (!empty($_SERVER['HTTP_CLIENT_IP']) &&
getClassCIp($_SERVER['HTTP_CLIENT_IP']) == $clickAndBuyIp) //check ip from share internet
{
return true;
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) &&
getClassCIp($_SERVER['HTTP_X_FORWARDED_FOR']) == $clickAndBuyIp) //to check if is passed from proxy
{
return true;
}
else
{
return getClassCIp($_SERVER['REMOTE_ADDR']) == $clickAndBuyIp;
}
}
else ...
ps. first issue post here, so excuse me for booboos
Comments
Comment #1
slickrik CreditAttribution: slickrik commentedActually, use this... nice and generic... php 4 && 5 proof, nothing deprecated. No magic numbers like substr($ip,0,11)
greets Rik
Comment #2
longwaveThe problem with simply checking HTTP_X_FORWARDED_FOR is that it can easily be spoofed; any client can send this header and pretend to be forwarding for someone else.
Drupal 6 works around this in the ip_address() function, which this module uses in the 6.x releases. Drupal 5 does not appear to support reverse proxies and apparently has other similar issues, see #142773: Drupal does not fully work when using a reverse proxy for details. I'm tempted to mark this as "won't fix" unless someone can find evidence that Drupal 5 was actually designed to support reverse proxies without patching.
Comment #3
longwave