src/App/Request.php

   1 <?php
   2 /**
   3  * @copyright Copyright (C) 2010-2022, the Friendica project
   4  *
   5  * @license GNU AGPL version 3 or any later version
   6  *
   7  * This program is free software: you can redistribute it and/or modify
   8  * it under the terms of the GNU Affero General Public License as
   9  * published by the Free Software Foundation, either version 3 of the
  10  * License, or (at your option) any later version.
  11  *
  12  * This program is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  * GNU Affero General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Affero General Public License
  18  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  19  *
  20  */
  21
  22 namespace Friendica\App;
  23
  24 use Friendica\Core\Config\Capability\IManageConfigValues;
  25
  26 /**
  27  * Container for the whole request
  28  *
  29  * @see https://www.php-fig.org/psr/psr-7/#321-psrhttpmessageserverrequestinterface
  30  *
  31  * @todo future container class for whole requests, currently it's not :-)
  32  */
  33 class Request
  34 {
  35         /**
  36          * A comma separated list of default headers that could contain the client IP in a proxy request
  37          * Beware: This list is ordered
  38          *
  39          * @var string
  40          */
  41         const DEFAULT_FORWARD_FOR_HEADER = 'HTTP_X_FORWARDED_FOR';
  42
  43         /** @var string The remote IP address of the current request */
  44         protected $remoteAddress;
  45
  46         /**
  47          * @return string The remote IP address of the current request
  48          *
  49          * Do always use this instead of $_SERVER['REMOTE_ADDR']
  50          */
  51         public function getRemoteAddress(): string
  52         {
  53                 return $this->remoteAddress;
  54         }
  55
  56         public function __construct(IManageConfigValues $config, array $server = [])
  57         {
  58                 $this->remoteAddress = $this->determineRemoteAddress($config, $server);
  59         }
  60
  61         /**
  62          * Checks if given $remoteAddress matches given $trustedProxy.
  63          * If $trustedProxy is an IPv4 IP range given in CIDR notation, true will be returned if
  64          * $remoteAddress is an IPv4 address within that IP range.
  65          * Otherwise, $remoteAddress will be compared to $trustedProxy literally and the result
  66          * will be returned.
  67          *
  68          * @param string $trustedProxy  The current, trusted proxy to check
  69          * @param string $remoteAddress The current remote IP address
  70          *
  71          *
  72          * @return boolean true if $remoteAddress matches $trustedProxy, false otherwise
  73          */
  74         protected function matchesTrustedProxy(string $trustedProxy, string $remoteAddress): bool
  75         {
  76                 $cidrre = '/^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\/([0-9]{1,2})$/';
  77
  78                 if (preg_match($cidrre, $trustedProxy, $match)) {
  79                         $net       = $match[1];
  80                         $shiftbits = min(32, max(0, 32 - intval($match[2])));
  81                         $netnum    = ip2long($net) >> $shiftbits;
  82                         $ipnum     = ip2long($remoteAddress) >> $shiftbits;
  83
  84                         return $ipnum === $netnum;
  85                 }
  86
  87                 return $trustedProxy === $remoteAddress;
  88         }
  89
  90         /**
  91          * Checks if given $remoteAddress matches any entry in the given array $trustedProxies.
  92          * For details regarding what "match" means, refer to `matchesTrustedProxy`.
  93          *
  94          * @param string[] $trustedProxies A list of the trusted proxies
  95          * @param string   $remoteAddress  The current remote IP address
  96          *
  97          * @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise
  98          */
  99         protected function isTrustedProxy(array $trustedProxies, string $remoteAddress): bool
 100         {
 101                 foreach ($trustedProxies as $tp) {
 102                         if ($this->matchesTrustedProxy($tp, $remoteAddress)) {
 103                                 return true;
 104                         }
 105                 }
 106
 107                 return false;
 108         }
 109
 110         /**
 111          * Determines the remote address, if the connection came from a trusted proxy
 112          * and `forwarded_for_headers` has been configured then the IP address
 113          * specified in this header will be returned instead.
 114          *
 115          * @param IManageConfigValues $config
 116          * @param array               $server The $_SERVER array
 117          *
 118          * @return string
 119          */
 120         protected function determineRemoteAddress(IManageConfigValues $config, array $server): string
 121         {
 122                 $remoteAddress  = $server['REMOTE_ADDR'] ?? '0.0.0.0';
 123                 $trustedProxies = preg_split('/(\s*,*\s*)*,+(\s*,*\s*)*/', $config->get('proxy', 'trusted_proxies', ''));
 124
 125                 if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
 126                         $forwardedForHeaders = preg_split('/(\s*,*\s*)*,+(\s*,*\s*)*/', $config->get('proxy', 'forwarded_for_headers', static::DEFAULT_FORWARD_FOR_HEADER));
 127
 128                         foreach ($forwardedForHeaders as $header) {
 129                                 if (isset($server[$header])) {
 130                                         foreach (explode(',', $server[$header]) as $IP) {
 131                                                 $IP = trim($IP);
 132
 133                                                 // remove brackets from IPv6 addresses
 134                                                 if (strpos($IP, '[') === 0 && substr($IP, -1) === ']') {
 135                                                         $IP = substr($IP, 1, -1);
 136                                                 }
 137
 138                                                 // skip trusted proxies in the list itself
 139                                                 if ($this->isTrustedProxy($trustedProxies, $IP)) {
 140                                                         continue;
 141                                                 }
 142
 143                                                 if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
 144                                                         return $IP;
 145                                                 }
 146                                         }
 147                                 }
 148                         }
 149                 }
 150
 151                 return $remoteAddress;
 152         }
 153 }