Allow defining the HTTP headers that contain the user IP address

mlocati · mlocati · commit b7405063bb31 · 2025-01-21T16:56:22.000+01:00
diff --git a/tinyfilemanager.php b/tinyfilemanager.php
@@ -127,6 +127,14 @@
 // OR => Connection must be on the whitelist, or not on the blacklist
 $ip_ruleset = 'OFF';
 
+// List of HTTP headers that may contain the real IP address of the user
+$ip_http_headers = array(
+    'HTTP_CF_CONNECTING_IP',
+    'HTTP_X_FORWARDED_FOR',
+    'REMOTE_ADDR',
+    'HTTP_CLIENT_IP',
+);
+
 // Should users be notified of their block?
 $ip_silent = true;
 
@@ -149,6 +157,8 @@
     @include($config_file);
 }
 
+defined('FM_IP_HTTP_HEADERS') || define('FM_IP_HTTP_HEADERS', (version_compare(PHP_VERSION, '7.0.0', '<') ? serialize($ip_http_headers) : $ip_http_headers));
+
 // External CDN resources that can be used in the HTML (replace for GDPR compliance)
 $external = array(
     'css-bootstrap' => '<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH" crossorigin="anonymous">',
@@ -283,14 +293,16 @@ function session_error_handling_function($code, $msg, $file, $line)
 if ($ip_ruleset != 'OFF') {
     function getClientIP()
     {
-        if (array_key_exists('HTTP_CF_CONNECTING_IP', $_SERVER)) {
-            return  $_SERVER["HTTP_CF_CONNECTING_IP"];
-        } else if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
-            return  $_SERVER["HTTP_X_FORWARDED_FOR"];
-        } else if (array_key_exists('REMOTE_ADDR', $_SERVER)) {
-            return $_SERVER['REMOTE_ADDR'];
-        } else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
-            return $_SERVER['HTTP_CLIENT_IP'];
+        $ip_http_headers = FM_IP_HTTP_HEADERS;
+        if (is_string($ip_http_headers)) {
+            $ip_http_headers = @unserialize($ip_http_headers);
+        }
+        if (is_array($ip_http_headers)) {
+            foreach ($ip_http_headers as $header) {
+                if (array_key_exists($header, $_SERVER)) {
+                    return $_SERVER[$header];
+                }
+            }
         }
         return '';
     }
