Skip to content
This repository was archived by the owner on Nov 27, 2020. It is now read-only.

Commit 19dafe2

Browse files
bes89fabpot
bes89
authored and
fabpot
committed
fixed access check: allow local link addresses and prevent access when XFF/HTTP_CLIENT_IP is set
1 parent 4960ae6 commit 19dafe2

File tree

1 file changed

+6
-4
lines changed

1 file changed

+6
-4
lines changed

web/config.php

+6-4
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,12 @@
44
exit('This script cannot be run from the CLI. Run it from a browser.');
55
}
66

7-
if (!in_array(@$_SERVER['REMOTE_ADDR'], array(
8-
'127.0.0.1',
9-
'::1',
10-
))) {
7+
// This check prevents access to configuration check that are deployed by accident to production servers.
8+
// Feel free to remove this, extend it, or make something more sophisticated.
9+
if (isset($_SERVER['HTTP_CLIENT_IP'])
10+
|| isset($_SERVER['HTTP_X_FORWARDED_FOR'])
11+
|| !in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1'))
12+
) {
1113
header('HTTP/1.0 403 Forbidden');
1214
exit('This script is only accessible from localhost.');
1315
}

0 commit comments

Comments
 (0)