refs #17816, fixes HTTP_X_FORWARDED_FOR handling

module/finc/src/finc/Role/PermissionProvider/IpRangeFoFor.php

@@ -45,6 +45,28 @@ namespace finc\Role\PermissionProvider;
  */
 class IpRangeFoFor extends \VuFind\Role\PermissionProvider\IpRange
 {
+
+    /**
+     * returns remote address based on eventual proxy headers
+     * 
+     * @return string
+     */
+    private function getRemoteAddr() {
+        // a list of ips the request is forwarded for - first is latest
+        $HttpXForwardedForList = explode(',', $this->request->getServer()->get('HTTP_X_FORWARDED_FOR'));
+        
+        if ($ip = array_shift($HttpXForwardedForList)) {
+            return $ip;
+        }
+        
+        // often provided by nginx-reverse-proxies, should be used since its the nature of the value
+        if ($ip = $this->request->getServer()->get('HTTP_X_REAL_IP')) {
+            return $ip;
+        }
+
+        return $this->request->getServer()->get('REMOTE_ADDR');
+    }
+
     /**
      * Return an array of roles which may be granted the permission based on
      * the options.
@@ -57,11 +79,10 @@ class IpRangeFoFor extends \VuFind\Role\PermissionProvider\IpRange
      */
     public function getPermissions($options)
     {
+
+
         // Check if any regex matches....
-        $ip = $this->request->getServer()->get('HTTP_X_FORWARDED_FOR') != null
-            ? $this->request->getServer()->get('HTTP_X_FORWARDED_FOR')
-            : $this->request->getServer()->get('REMOTE_ADDR');
-        if ($this->ipAddressUtils->isInRange($ip, (array)$options)) {
+        if ($this->ipAddressUtils->isInRange($this->getRemoteAddr(), (array)$options)) {
             // Match? Grant to all users (guest or logged in).
             return ['guest', 'loggedin'];
         }

module/finc/src/finc/Role/PermissionProvider/IpRegExFoFor.php

@@ -22,6 +22,7 @@
  * @category VuFind
  * @package  Authorization
  * @author   Gregor Gawol <gawol@ub.uni-leipzig.de>
+ * @author   Ulf Seltmann <ulf.seltmann@hmt-leipzig.de>
  * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
  * @link     https://vufind.org Main Page
  */
@@ -33,11 +34,33 @@ namespace finc\Role\PermissionProvider;
  * @category VuFind
  * @package  Authorization
  * @author   Gregor Gawol <gawol@ub.uni-leipzig.de>
+ * @author   Ulf Seltmann <ulf.seltmann@hmt-leipzig.de>
  * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
  * @link     https://vufind.org Main Page
  */
 class IpRegExFoFor extends \VuFind\Role\PermissionProvider\IpRegEx
 {
+    /**
+     * returns remote address based on eventual proxy headers
+     * 
+     * @return string
+     */
+    private function getRemoteAddr() {
+        // a list of ips the request is forwarded for - first is latest
+        $HttpXForwardedForList = explode(',', $this->request->getServer()->get('HTTP_X_FORWARDED_FOR'));
+        
+        if ($ip = array_shift($HttpXForwardedForList)) {
+            return $ip;
+        }
+        
+        // often provided by nginx-reverse-proxies, should be used since its the nature of the value
+        if ($ip = $this->request->getServer()->get('HTTP_X_REAL_IP')) {
+            return $ip;
+        }
+
+        return $this->request->getServer()->get('REMOTE_ADDR');
+    }
+
     /**
      * Return an array of roles which may be granted the permission based on
      * the options.
@@ -51,9 +74,7 @@ class IpRegExFoFor extends \VuFind\Role\PermissionProvider\IpRegEx
     public function getPermissions($options)
     {
         // Check if any regex matches....
-        $ip = $this->request->getServer()->get('HTTP_X_FORWARDED_FOR') != null
-            ? $this->request->getServer()->get('HTTP_X_FORWARDED_FOR')
-            : $this->request->getServer()->get('REMOTE_ADDR');
+        $ip = $this->getRemoteAddr();
         foreach ((array)$options as $current) {
             if (preg_match($current, $ip)) {
                 // Match? Grant to all users (guest or logged in).