Merge branch '2.1' into 2.2

fabpot · fabpot · commit c019ad7ec66c · 2013-04-17T07:19:39.000+02:00
* 2.1:
  fixed access check: allow local link addresses and prevent access when XFF/HTTP_CLIENT_IP is set
diff --git a/web/config.php b/web/config.php
@@ -4,10 +4,12 @@
     exit('This script cannot be run from the CLI. Run it from a browser.');
 }
 
-if (!in_array(@$_SERVER['REMOTE_ADDR'], array(
-    '127.0.0.1',
-    '::1',
-))) {
+// This check prevents access to configuration check that are deployed by accident to production servers.
+// Feel free to remove this, extend it, or make something more sophisticated.
+if (isset($_SERVER['HTTP_CLIENT_IP'])
+    || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
+    || !in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1'))
+) {
     header('HTTP/1.0 403 Forbidden');
     exit('This script is only accessible from localhost.');
 }
