merged branch bes89/update-access-check (PR #531)

fabpot · fabpot · commit 31cd2476d90e · 2013-04-17T07:15:11.000+02:00
This PR was submitted for the master branch but it was merged into the 2.1 branch instead (closes #531). Discussion ---------- fixed access check allow local link addresses and prevent access when XFF is set (the same as in app_dev.php) Commits ------- 4c34555 fixed access check: allow local link addresses and prevent access when XFF/HTTP_CLIENT_IP is set
diff --git a/web/config.php b/web/config.php
@@ -4,10 +4,12 @@
     exit('This script cannot be run from the CLI. Run it from a browser.');
 }
 
-if (!in_array(@$_SERVER['REMOTE_ADDR'], array(
-    '127.0.0.1',
-    '::1',
-))) {
+// This check prevents access to configuration check that are deployed by accident to production servers.
+// Feel free to remove this, extend it, or make something more sophisticated.
+if (isset($_SERVER['HTTP_CLIENT_IP'])
+    || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
+    || !in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1'))
+) {
     header('HTTP/1.0 403 Forbidden');
     exit('This script is only accessible from localhost.');
 }
