friendica/src/App/Request.php

<?php
/**
 * @copyright Copyright (C) 2010-2022, the Friendica project
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 */

namespace Friendica\App;

use Friendica\Core\Config\Capability\IManageConfigValues;

/**
 * Container for the whole request
 *
 * @see https://www.php-fig.org/psr/psr-7/#321-psrhttpmessageserverrequestinterface
 *
 * @todo future container class for whole requests, currently it's not :-)
 */
class Request
{
	/** @var string the default possible headers, which could contain the client IP */
	const ORDERED_FORWARD_FOR_HEADER = 'HTTP_X_FORWARDED_FOR';

	/** @var string The remote IP address of the current request */
	protected $remoteAddress;

	/**
	 * @return string The remote IP address of the current request
	 */
	public function getRemoteAddress(): string
	{
		return $this->remoteAddress;
	}

	public function __construct(IManageConfigValues $config, array $server = [])
	{
		$this->remoteAddress = $this->determineRemoteAddress($config, $server);
	}

	/**
	 * Checks if given $remoteAddress matches given $trustedProxy.
	 * If $trustedProxy is an IPv4 IP range given in CIDR notation, true will be returned if
	 * $remoteAddress is an IPv4 address within that IP range.
	 * Otherwise, $remoteAddress will be compared to $trustedProxy literally and the result
	 * will be returned.
	 *
	 * @return boolean true if $remoteAddress matches $trustedProxy, false otherwise
	 */
	protected function matchesTrustedProxy(string $trustedProxy, string $remoteAddress): bool
	{
		$cidrre = '/^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\/([0-9]{1,2})$/';

		if (preg_match($cidrre, $trustedProxy, $match)) {
			$net       = $match[1];
			$shiftbits = min(32, max(0, 32 - intval($match[2])));
			$netnum    = ip2long($net) >> $shiftbits;
			$ipnum     = ip2long($remoteAddress) >> $shiftbits;

			return $ipnum === $netnum;
		}

		return $trustedProxy === $remoteAddress;
	}

	/**
	 * Checks if given $remoteAddress matches any entry in the given array $trustedProxies.
	 * For details regarding what "match" means, refer to `matchesTrustedProxy`.
	 *
	 * @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise
	 */
	protected function isTrustedProxy(array $trustedProxies, string $remoteAddress): bool
	{
		foreach ($trustedProxies as $tp) {
			if ($this->matchesTrustedProxy($tp, $remoteAddress)) {
				return true;
			}
		}

		return false;
	}

	/**
	 * @param IManageConfigValues $config
	 * @param array               $server
	 *
	 * @return string
	 */
	protected function determineRemoteAddress(IManageConfigValues $config, array $server): string
	{
		$remoteAddress  = $server['REMOTE_ADDR'] ?? '0.0.0.0';
		$trustedProxies = preg_split('/(\s*,*\s*)*,+(\s*,*\s*)*/', $config->get('proxy', 'trusted_proxies', ''));

		if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
			$forwardedForHeaders = preg_split('/(\s*,*\s*)*,+(\s*,*\s*)*/', $config->get('proxy', 'forwarded_for_headers')) ?? static::ORDERED_FORWARD_FOR_HEADER;

			foreach ($forwardedForHeaders as $header) {
				if (isset($server[$header])) {
					foreach (explode(',', $server[$header]) as $IP) {
						$IP = trim($IP);

						// remove brackets from IPv6 addresses
						if (strpos($IP, '[') === 0 && substr($IP, -1) === ']') {
							$IP = substr($IP, 1, -1);
						}

						// skip trusted proxies in the list itself
						if ($this->isTrustedProxy($trustedProxies, $IP)) {
							continue;
						}

						if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
							return $IP;
						}
					}
				}
			}
		}

		return $remoteAddress;
	}
}
Respect Forwarded-For headers 2022-06-23 20:42:35 +00:00			`<?php`
Add copyright 2022-06-23 20:44:17 +00:00			`/**`
			`* @copyright Copyright (C) 2010-2022, the Friendica project`
			`*`
			`* @license GNU AGPL version 3 or any later version`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`*`
			`*/`
Respect Forwarded-For headers 2022-06-23 20:42:35 +00:00
			`namespace Friendica\App;`

			`use Friendica\Core\Config\Capability\IManageConfigValues;`

			`/**`
			`* Container for the whole request`
			`*`
			`* @see https://www.php-fig.org/psr/psr-7/#321-psrhttpmessageserverrequestinterface`
			`*`
			`* @todo future container class for whole requests, currently it's not :-)`
			`*/`
			`class Request`
			`{`
			`/** @var string the default possible headers, which could contain the client IP */`
			`const ORDERED_FORWARD_FOR_HEADER = 'HTTP_X_FORWARDED_FOR';`

			`/** @var string The remote IP address of the current request */`
			`protected $remoteAddress;`

			`/**`
			`* @return string The remote IP address of the current request`
			`*/`
			`public function getRemoteAddress(): string`
			`{`
			`return $this->remoteAddress;`
			`}`

			`public function __construct(IManageConfigValues $config, array $server = [])`
			`{`
			`$this->remoteAddress = $this->determineRemoteAddress($config, $server);`
			`}`

			`/**`
			`* Checks if given $remoteAddress matches given $trustedProxy.`
			`* If $trustedProxy is an IPv4 IP range given in CIDR notation, true will be returned if`
			`* $remoteAddress is an IPv4 address within that IP range.`
			`* Otherwise, $remoteAddress will be compared to $trustedProxy literally and the result`
			`* will be returned.`
			`*`
			`* @return boolean true if $remoteAddress matches $trustedProxy, false otherwise`
			`*/`
			`protected function matchesTrustedProxy(string $trustedProxy, string $remoteAddress): bool`
			`{`
			`$cidrre = '/^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\/([0-9]{1,2})$/';`

			`if (preg_match($cidrre, $trustedProxy, $match)) {`
			`$net = $match[1];`
			`$shiftbits = min(32, max(0, 32 - intval($match[2])));`
			`$netnum = ip2long($net) >> $shiftbits;`
			`$ipnum = ip2long($remoteAddress) >> $shiftbits;`

			`return $ipnum === $netnum;`
			`}`

			`return $trustedProxy === $remoteAddress;`
			`}`

			`/**`
			`* Checks if given $remoteAddress matches any entry in the given array $trustedProxies.`
			* For details regarding what "match" means, refer to `matchesTrustedProxy`.
			`*`
			`* @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise`
			`*/`
			`protected function isTrustedProxy(array $trustedProxies, string $remoteAddress): bool`
			`{`
			`foreach ($trustedProxies as $tp) {`
			`if ($this->matchesTrustedProxy($tp, $remoteAddress)) {`
			`return true;`
			`}`
			`}`

			`return false;`
			`}`

			`/**`
			`* @param IManageConfigValues $config`
			`* @param array $server`
			`*`
			`* @return string`
			`*/`
			`protected function determineRemoteAddress(IManageConfigValues $config, array $server): string`
			`{`
			`$remoteAddress = $server['REMOTE_ADDR'] ?? '0.0.0.0';`
			`$trustedProxies = preg_split('/(\s,\s),+(\s,\s)/', $config->get('proxy', 'trusted_proxies', ''));`

			`if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {`
			`$forwardedForHeaders = preg_split('/(\s,\s),+(\s,\s)/', $config->get('proxy', 'forwarded_for_headers')) ?? static::ORDERED_FORWARD_FOR_HEADER;`

			`foreach ($forwardedForHeaders as $header) {`
			`if (isset($server[$header])) {`
			`foreach (explode(',', $server[$header]) as $IP) {`
			`$IP = trim($IP);`

			`// remove brackets from IPv6 addresses`
			`if (strpos($IP, '[') === 0 && substr($IP, -1) === ']') {`
			`$IP = substr($IP, 1, -1);`
			`}`

			`// skip trusted proxies in the list itself`
			`if ($this->isTrustedProxy($trustedProxies, $IP)) {`
			`continue;`
			`}`

			`if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {`
			`return $IP;`
			`}`
			`}`
			`}`
			`}`
			`}`

			`return $remoteAddress;`
			`}`
			`}`