X-Git-Url: https://git.p6c8.net/jirafeau.git/blobdiff_plain/ef7711fcbea94ca12e41a4897f5cc4ab284b4b11..0d67e0ca4e449915d0548819f1f09a29dae52c9a:/lib/functions.php

diff --git a/lib/functions.php b/lib/functions.php
index 77acae1..2c799f2 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -614,7 +614,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash)
                     continue;
 
                 /* Filter. */
-                if (!empty ($name) && !preg_match ("/$name/i", $l['file_name']))
+                if (!empty ($name) && !preg_match ("/$name/i", htmlspecialchars($l['file_name'])))
                     continue;
                 if (!empty ($file_hash) && $file_hash != $l['md5'])
                     continue;
@@ -626,7 +626,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash)
                 '<form action = "admin.php" method = "post">' .
                 '<input type = "hidden" name = "action" value = "download"/>' .
                 '<input type = "hidden" name = "link" value = "' . $node . '"/>' .
-                '<input type = "submit" value = "' . $l['file_name'] . '" />' .
+                '<input type = "submit" value = "' . htmlspecialchars($l['file_name']) . '" />' .
                 '</form>';
                 echo '</td>';
                 echo '<td>' . $l['mime_type'] . '</td>';
@@ -1108,29 +1108,73 @@ function jirafeau_challenge_upload_ip ($cfg, $ip)
     return false;
 }
 
+/** Tell if we have some HTTP headers generated by a proxy */
+function has_http_forwarded()
+{
+    if (!empty ($_SERVER['HTTP_X_FORWARDED_FOR']))
+        return true;
+    if (!empty ($_SERVER['http_X_forwarded_for']))
+        return true;
+    return false;
+}
+
+/**
+ * Generate IP list from HTTP headers generated by a proxy
+ * return  array of IP strings
+ */
+function get_ip_list_http_forwarded()
+{
+    $ip_list = array();
+    if (!empty ($_SERVER['HTTP_X_FORWARDED_FOR']))
+    {
+        $l = explode (',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+        foreach ($l as $ip)
+            array_push ($ip_list, preg_replace ('/\s+/', '', $ip));
+    }
+    if (!empty ($_SERVER['http_X_forwarded_for']))
+    {
+        $l = explode (',', $_SERVER['http_X_forwarded_for']);
+        foreach ($l as $ip)
+        {
+            // Separate IP from port
+            $ip = explode (':', $ip)[0];
+            array_push ($ip_list, preg_replace ('/\s+/', '', $ip));
+        }
+    }
+    return $ip_list;
+}
+
 /**
  * Get the ip address of the client from REMOTE_ADDR
  * or from HTTP_X_FORWARDED_FOR if behind a proxy
  * @returns an the client ip address
  */
 function get_ip_address($cfg) {
-    if (count ($cfg['proxy_ip']) == 0 ||
-        empty ($_SERVER['HTTP_X_FORWARDED_FOR']))
-        return $_SERVER['REMOTE_ADDR'];
+    $remote = $_SERVER['REMOTE_ADDR'];
+    if (count ($cfg['proxy_ip']) == 0 || !has_http_forwarded ())
+        return $remote;
 
-    $iplist = explode (',', $_SERVER['HTTP_X_FORWARDED_FOR']);
-    if (count ($iplist) == 0)
-        return $_SERVER['REMOTE_ADDR'];
+    $ip_list = get_ip_list_http_forwarded ();
+    if (count ($ip_list) == 0)
+        return $remote;
 
     foreach ($cfg['proxy_ip'] as $proxy_ip)
     {
-        if ($_SERVER['REMOTE_ADDR'] != $proxy_ip)
+        if ($remote != $proxy_ip)
             continue;
-
-        // Take the last IP (the one which has been set by our proxy).
-        $ip = end($iplist);
-        $ip = preg_replace ('/\s+/', '', $ip);
-        return $ip;
+        // Take the last IP (the one which has been set by the defined proxy).
+        return end ($ip_list);
     }
-    return $_SERVER['REMOTE_ADDR'];
+    return $remote;
+}
+
+/**
+ * Convert hexadecimal string to base64
+ */
+function hex_to_base64($hex)
+{
+    $b = '';
+    foreach (str_split ($hex, 2) as $pair)
+        $b .= chr (hexdec ($pair));
+    return base64_encode ($b);
 }