hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-11 12:03:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

DS-3542: Only trust X-Forwared-For headers from trusted proxies

Browse Source
This commit is contained in:
Tom Desair
2018-08-23 13:59:21 +02:00
parent b0e076ddb1
commit bd464e03f5
15 changed files with 269 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
dspace-api/src/main/java/org/dspace/authenticate/IPAuthentication.java
View File

@@ -18,13 +18,14 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.dspace.core.ConfigurationManager;
import org.dspace.core.Context;
import org.dspace.core.LogManager;
import org.dspace.core.factory.CoreServiceFactory;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group;
import org.dspace.eperson.factory.EPersonServiceFactory;
import org.dspace.eperson.service.GroupService;
import org.dspace.service.ClientInfoService;
import org.dspace.services.factory.DSpaceServicesFactory;
/**
@@ -67,6 +68,7 @@ public class IPAuthentication implements AuthenticationMethod {
protected List<IPMatcher> ipNegativeMatchers;
protected GroupService groupService;
protected ClientInfoService clientInfoService;
/**
@@ -91,6 +93,7 @@ public class IPAuthentication implements AuthenticationMethod {
ipMatcherGroupIDs = new HashMap<>();
ipMatcherGroupNames = new HashMap<>();
groupService = EPersonServiceFactory.getInstance().getGroupService();
clientInfoService = CoreServiceFactory.getInstance().getClientInfoService();
List<String> propNames = DSpaceServicesFactory.getInstance().getConfigurationService()
.getPropertyKeys("authentication-ip");
@@ -169,18 +172,7 @@ public class IPAuthentication implements AuthenticationMethod {
List<Group> groups = new ArrayList<Group>();
// Get the user's IP address
String addr = request.getRemoteAddr();
if (useProxies == null) {
useProxies = ConfigurationManager.getBooleanProperty("useProxies", false);
}
if (useProxies && request.getHeader("X-Forwarded-For") != null) {
/* This header is a comma delimited list */
for (String xfip : request.getHeader("X-Forwarded-For").split(",")) {
if (!request.getHeader("X-Forwarded-For").contains(addr)) {
addr = xfip.trim();
}
}
}
String addr = clientInfoService.getClientIp(request);
for (IPMatcher ipm : ipMatchers) {
try {