From b1a03cc3468ceb1aa031aa2b5e23c56a80501f3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= <pchmielowski@process-one.net>
Date: Fri, 4 May 2018 09:53:07 +0200
Subject: [PATCH] Make trusted_proxied ejabberd_http option accept ip masks

---
 src/ejabberd_http.erl | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/ejabberd_http.erl b/src/ejabberd_http.erl
index 3f414244f..40267b5eb 100644
--- a/src/ejabberd_http.erl
+++ b/src/ejabberd_http.erl
@@ -519,9 +519,21 @@ analyze_ip_xff({IPLast, Port}, XFF, Host) ->
 	       end,
     {IPClient, Port}.
 
+is_ipchain_trusted([], _) -> false;
 is_ipchain_trusted(_UserIPs, all) -> true;
-is_ipchain_trusted(UserIPs, TrustedIPs) ->
-    [] == UserIPs -- [<<"127.0.0.1">> | TrustedIPs].
+is_ipchain_trusted(UserIPs, Masks) ->
+    lists:all(
+	fun(IP) ->
+	    case inet:parse_address(binary_to_list(IP)) of
+		{ok, IP2} ->
+		    lists:any(
+			fun({Mask, MaskLen}) ->
+			    acl:ip_matches_mask(IP2, Mask, MaskLen)
+			end, [{{127,0,0,1}, 8} | Masks]);
+		_ ->
+		    false
+	    end
+	end, UserIPs).
 
 recv_data(State, Len) -> recv_data(State, Len, <<>>).
 
@@ -877,7 +889,14 @@ transform_listen_option(Opt, Opts) ->
 	      (atom()) -> [atom()].
 opt_type(trusted_proxies) ->
     fun (all) -> all;
-        (TPs) -> [iolist_to_binary(TP) || TP <- TPs] end;
+        (TPs) -> lists:filtermap(
+	    fun(TP) ->
+		case acl:parse_ip_netmask(iolist_to_binary(TP)) of
+		    {ok, Ip, Mask} -> {true, {Ip, Mask}};
+		    _ -> false
+		end
+	    end, TPs)
+    end;
 opt_type(_) -> [trusted_proxies].
 
 -spec listen_opt_type(tls) -> fun((boolean()) -> boolean());