Chapril/paste.chapril.org-privatebin
Chapril/paste.chapril.org-privatebin
24
0
Fork 0
Code Issues Releases Wiki Activity

traffic limiter would fail behind a reverse proxy / load balancer.

Browse Source 
Adding configuration option to set the trusted HTTP header to get the
visitors IP in such a case (avoiding security issue if malicious clients
just set these headers themselfs)
This commit is contained in:
El RIDO 2015-09-18 22:31:01 +02:00
parent 801cdc627e
commit 47efedf23c
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cfg/conf.ini
View File

@ -71,6 +71,12 @@ markdown = "Markdown"
; time limit between calls from the same IP address in seconds
; Set this to 0 to disable rate limiting.
limit = 10
; (optional) if your website runs behind a reverse proxy or load balancer,
; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
; header = "X_FORWARDED_FOR"
; directory to store the traffic limits in
dir = PATH "data"
[model]

11
lib/zerobin.php
View File

@ -223,7 +223,16 @@ class zerobin
// Make sure last paste from the IP address was more than X seconds ago.
trafficlimiter::setLimit($this->_conf['traffic']['limit']);
trafficlimiter::setPath($this->_conf['traffic']['dir']);
if (!trafficlimiter::canPass($_SERVER['REMOTE_ADDR']))
$ipKey = 'REMOTE_ADDR';
if (array_key_exists('header', $this->_conf['traffic']))
{
$header = 'HTTP_' . $this->_conf['traffic']['header'];
if (array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]))
{
$ipKey = $header;
}
}
if (!trafficlimiter::canPass($_SERVER[$ipKey]))
{
$this->_return_message(
1,