Skip to content

Commit a510cdf

Browse files
MaikuolanMaikuolan
committed
Bug-fix.
Changelog excerpt: - Failed to correctly determine the client's IP address under certain circumstances (e.g., multiple choices available via HTTP_X_FORWARDED_FOR); Fixed.
1 parent fa9791f commit a510cdf

File tree

2 files changed

+23
-19
lines changed

2 files changed

+23
-19
lines changed

Changelog.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,3 +67,7 @@ __*Why "v3.0.0" instead of "v1.0.0?"*__ Prior to phpMussel v3, the "phpMussel Co
6767
[2021.11.27; Maikuolan]: At the front-end configuration page, configuration directives relying on specific extensions (specifically, at this time, the supplementary cache options) will now include a notice as to whether the extensions relied upon are available.
6868

6969
[2022.01.22; Maikuolan]: Dropped Gitter chat in favour of using GitHub Discussions instead.
70+
71+
### v3.2.2
72+
73+
[2022.02.01; Bug-fix; Maikuolan]: Failed to correctly determine the client's IP address under certain circumstances (e.g., multiple choices available via HTTP_X_FORWARDED_FOR); Fixed.

src/FrontEnd.php

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
* License: GNU/GPLv2
99
* @see LICENSE.txt
1010
*
11-
* This file: Front-end handler (last modified: 2022.01.22).
11+
* This file: Front-end handler (last modified: 2022.02.01).
1212
*/
1313

1414
namespace phpMussel\FrontEnd;
@@ -222,10 +222,10 @@ public function view(string $Page = ''): void
222222
{
223223
/** Brute-force protection. */
224224
if ((
225-
($LoginAttempts = (int)$this->Loader->Cache->getEntry('LoginAttempts' . $_SERVER[$this->Loader->Configuration['core']['ipaddr']])) &&
225+
($LoginAttempts = (int)$this->Loader->Cache->getEntry('LoginAttempts' . $this->IPAddr)) &&
226226
($LoginAttempts >= $this->Loader->Configuration['frontend']['max_login_attempts'])
227227
) || (
228-
($Failed2FA = (int)$this->Loader->Cache->getEntry('Failed2FA' . $_SERVER[$this->Loader->Configuration['core']['ipaddr']])) &&
228+
($Failed2FA = (int)$this->Loader->Cache->getEntry('Failed2FA' . $this->IPAddr)) &&
229229
($Failed2FA >= $this->Loader->Configuration['frontend']['max_login_attempts'])
230230
)) {
231231
header('Content-Type: text/plain');
@@ -294,10 +294,10 @@ public function view(string $Page = ''): void
294294
),
295295

296296
/** The user agent of the current request. */
297-
'UA' => empty($_SERVER['HTTP_USER_AGENT']) ? '' : $_SERVER['HTTP_USER_AGENT'],
297+
'UA' => $_SERVER['HTTP_USER_AGENT'] ?? '',
298298

299299
/** The IP address of the current request. */
300-
'YourIP' => empty($_SERVER[$this->Loader->Configuration['core']['ipaddr']]) ? '' : $_SERVER[$this->Loader->Configuration['core']['ipaddr']],
300+
'YourIP' => $this->IPAddr,
301301

302302
/** Asynchronous mode. */
303303
'ASYNC' => !empty($_POST['ASYNC']),
@@ -455,7 +455,7 @@ public function view(string $Page = ''): void
455455
!empty($this->Loader->Configuration[$ConfigUserPath]['permissions'])
456456
) {
457457
if (password_verify($_POST['password'], $this->Loader->Configuration[$ConfigUserPath]['password'])) {
458-
$this->Loader->Cache->deleteEntry('LoginAttempts' . $_SERVER[$this->Loader->Configuration['core']['ipaddr']]);
458+
$this->Loader->Cache->deleteEntry('LoginAttempts' . $this->IPAddr);
459459
$Permissions = (int)$this->Loader->Configuration[$ConfigUserPath]['permissions'];
460460
if ($Permissions !== 1 && $Permissions !== 2) {
461461
$FE['state_msg'] = $this->Loader->L10N->getString('response_login_wrong_endpoint');
@@ -512,7 +512,7 @@ public function view(string $Page = ''): void
512512
if ($FE['state_msg']) {
513513
$LoginAttempts++;
514514
$TimeToAdd = ($LoginAttempts > 4) ? ($LoginAttempts - 4) * 86400 : 86400;
515-
$this->Loader->Cache->setEntry('LoginAttempts' . $_SERVER[$this->Loader->Configuration['core']['ipaddr']], $LoginAttempts, $TimeToAdd ?: 86400);
515+
$this->Loader->Cache->setEntry('LoginAttempts' . $this->IPAddr, $LoginAttempts, $TimeToAdd ?: 86400);
516516
$LoggerMessage = $FE['state_msg'];
517517
}
518518
} elseif ($this->Permissions === 3) {
@@ -523,10 +523,10 @@ public function view(string $Page = ''): void
523523
}
524524

525525
/** Safer for the front-end logger. */
526-
$TryUser = preg_replace('~[\x00-\x1f]~', '', $TryUser ?? $this->User);
526+
$TryUser = preg_replace('~[\x00-\x1F]~', '', $TryUser ?? $this->User);
527527

528528
/** Handle front-end logging. */
529-
$this->frontendLogger($_SERVER[$this->Loader->Configuration['core']['ipaddr']], $TryUser, $LoggerMessage ?? '');
529+
$this->frontendLogger($this->IPAddr, $TryUser, $LoggerMessage ?? '');
530530
}
531531

532532
/** Determine whether the user has logged in. */
@@ -561,16 +561,16 @@ public function view(string $Page = ''): void
561561
if (password_verify($_POST['2fa'], substr($TwoFactorState, 1))) {
562562
$this->Loader->Cache->setEntry('TwoFactorState:' . $_COOKIE['PHPMUSSEL-ADMIN'], '1', $this->SessionTTL);
563563
$Try = 1;
564-
$this->Loader->Cache->deleteEntry('Failed2FA' . $_SERVER[$this->Loader->Configuration['core']['ipaddr']]);
564+
$this->Loader->Cache->deleteEntry('Failed2FA' . $this->IPAddr);
565565
if ($this->Loader->Configuration['frontend']['frontend_log']) {
566-
$this->frontendLogger($_SERVER[$this->Loader->Configuration['core']['ipaddr']], $SessionUser, $this->Loader->L10N->getString('response_2fa_valid'));
566+
$this->frontendLogger($this->IPAddr, $SessionUser, $this->Loader->L10N->getString('response_2fa_valid'));
567567
}
568568
} else {
569569
$Failed2FA++;
570570
$TimeToAdd = ($Failed2FA > 4) ? ($Failed2FA - 4) * 86400 : 86400;
571-
$this->Loader->Cache->setEntry('Failed2FA' . $_SERVER[$this->Loader->Configuration['core']['ipaddr']], $Failed2FA, $TimeToAdd ?: 86400);
571+
$this->Loader->Cache->setEntry('Failed2FA' . $this->IPAddr, $Failed2FA, $TimeToAdd ?: 86400);
572572
if ($this->Loader->Configuration['frontend']['frontend_log']) {
573-
$this->frontendLogger($_SERVER[$this->Loader->Configuration['core']['ipaddr']], $SessionUser, $this->Loader->L10N->getString('response_2fa_invalid'));
573+
$this->frontendLogger($this->IPAddr, $SessionUser, $this->Loader->L10N->getString('response_2fa_invalid'));
574574
}
575575
$FE['state_msg'] = $this->Loader->L10N->getString('response_2fa_invalid');
576576
}
@@ -605,7 +605,7 @@ public function view(string $Page = ''): void
605605
$this->User = '';
606606
$this->Permissions = 0;
607607
setcookie('PHPMUSSEL-ADMIN', '', -1, '/', $this->HostnameOverride ?: $this->Host, false, true);
608-
$this->frontendLogger($_SERVER[$this->Loader->Configuration['core']['ipaddr']], $SessionUser, $this->Loader->L10N->getString('state_logged_out'));
608+
$this->frontendLogger($this->IPAddr, $SessionUser, $this->Loader->L10N->getString('state_logged_out'));
609609
}
610610

611611
if ($this->Permissions === 1) {
@@ -1079,7 +1079,7 @@ public function view(string $Page = ''): void
10791079
if (in_array($DirValue['type'], ['bool', 'float', 'int', 'kb', 'string', 'timezone', 'email', 'url'], true)) {
10801080
$this->Loader->autoType($_POST[$ThisDir['DirLangKey']], $DirValue['type']);
10811081
}
1082-
if (!preg_match('/[^\x20-\xff"\']/', $_POST[$ThisDir['DirLangKey']]) && (
1082+
if (!preg_match('/[^\x20-\xFF"\']/', $_POST[$ThisDir['DirLangKey']]) && (
10831083
!isset($DirValue['choices']) ||
10841084
isset($DirValue['choices'][$_POST[$ThisDir['DirLangKey']]])
10851085
)) {
@@ -1089,7 +1089,7 @@ public function view(string $Page = ''): void
10891089
!empty($DirValue['allow_other']) &&
10901090
$_POST[$ThisDir['DirLangKey']] === 'Other' &&
10911091
isset($_POST[$ThisDir['DirLangKeyOther']]) &&
1092-
!preg_match('/[^\x20-\xff"\']/', $_POST[$ThisDir['DirLangKeyOther']])
1092+
!preg_match('/[^\x20-\xFF"\']/', $_POST[$ThisDir['DirLangKeyOther']])
10931093
) {
10941094
$ConfigurationModified = true;
10951095
$this->Loader->Configuration[$CatKey][$DirKey] = $_POST[$ThisDir['DirLangKeyOther']];
@@ -2079,7 +2079,7 @@ private function quarantineRecursiveList(): array
20792079
) ? substr($Head, $OriginStartPos + 15, $OriginEndPos - $OriginStartPos - 15) : $this->Loader->L10N->getString('field_filetype_unknown');
20802080

20812081
/** If the phpMussel QFU (Quarantined File Upload) header isn't found, it probably isn't a quarantined file. */
2082-
if (($HeadPos = strpos($Head, "\xa1phpMussel\x21")) !== false && (substr($Head, $HeadPos + 31, 1) === "\1")) {
2082+
if (($HeadPos = strpos($Head, "\xA1phpMussel\x21")) !== false && (substr($Head, $HeadPos + 31, 1) === "\1")) {
20832083
$Head = substr($Head, $HeadPos);
20842084
$Arr[$Key]['Upload-MD5'] = bin2hex(substr($Head, 11, 16));
20852085
$Arr[$Key]['Upload-Size'] = $this->Loader->unpackSafe('l*', substr($Head, 27, 4));
@@ -2122,7 +2122,7 @@ private function quarantineRestore(string $File, string $Key): string
21222122
$Data = $this->Loader->readFileBlocks($File);
21232123

21242124
/** Fetch headers. */
2125-
if (($HeadPos = strpos($Data, "\xa1phpMussel\x21")) === false || (substr($Data, $HeadPos + 31, 1) !== "\1")) {
2125+
if (($HeadPos = strpos($Data, "\xA1phpMussel\x21")) === false || (substr($Data, $HeadPos + 31, 1) !== "\1")) {
21262126
$this->InstanceCache['RestoreStatus'] = 2;
21272127
return '';
21282128
}
@@ -2203,7 +2203,7 @@ private function signatureInformationHandler(string &$InfoRows, string &$SigInfo
22032203
/** Expand patterns for signature metadata. */
22042204
foreach ($Arr['SigTypes'] as &$Type) {
22052205
$Type = sprintf(
2206-
'\x1a(?![\x80-\x8f])[\x0%1$s\x1%1$s\x2%1$s\x3%1$s\x4%1$s\x5%1$s\x6%1$s\x7%1$s\x8%1$s\x9%1$s\xa%1$s\xb%1$s\xc%1$s\xd%1$s\xe%1$s\ef%1$s].',
2206+
'\x1A(?![\x80-\x8F])[\x0%1$s\x1%1$s\x2%1$s\x3%1$s\x4%1$s\x5%1$s\x6%1$s\x7%1$s\x8%1$s\x9%1$s\xa%1$s\xb%1$s\xc%1$s\xd%1$s\xe%1$s\ef%1$s].',
22072207
$Type
22082208
);
22092209
}

0 commit comments

Comments
 (0)