nextcloud · aschieweck · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 4, 2024
@@ -555,55 +555,110 @@ protected function isTrustedProxy($trustedProxies, $remoteAddress) {
 	 * @return string IP address
 	 */
 	public function getRemoteAddress(): string {
-		$remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
-		$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
+		return $this->getRemoteAddressAndProxyChain()['remote_address'];
+	}
 
-		if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
-			$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
-				'HTTP_X_FORWARDED_FOR'
-				// only have one default, so we cannot ship an insecure product out of the box
-			]);
-
-			// Read the x-forwarded-for headers and values in reverse order as per
-			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address
-			foreach (array_reverse($forwardedForHeaders) as $header) {
-				if (isset($this->server[$header])) {
-					foreach (array_reverse(explode(',', $this->server[$header])) as $IP) {
-						$IP = trim($IP);
-						$colons = substr_count($IP, ':');
-						if ($colons > 1) {
-							// Extract IP from string with brackets and optional port
-							if (preg_match('/^\[(.+?)\](?::\d+)?$/', $IP, $matches) && isset($matches[1])) {
-								$IP = $matches[1];
+	/**
+	 * Returns the remote address and the trusted proxy chain from the `forwarded_for_headers`
+	 * @return array{remote_address: string, proxies: list<string>}
+	 */
+	public function getRemoteAddressAndProxyChain(): array {
+		$remoteAddress = $this->server['REMOTE_ADDR'] ?? '';
+
+		$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
+		if (!is_array($trustedProxies) || count($trustedProxies) == 0 || $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
+			return ['remote_address' => $remoteAddress, 'proxies' => []];
+		}
+
+		$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
+			'HTTP_X_FORWARDED_FOR',  // de-facto standard to keep track of the proxy chain
+			'HTTP_FORWARDED',        // new standard to keep track of the proxy chain
+		]);
+		$proxies = [];
+
+		foreach ($forwardedForHeaders as $header) {
+			if (isset($this->server[$header])) {
+				$proxies = []; // reset for each possible header
+
+				$headerContent = $this->server[$header];
+
+				$IPs = [];
+				if (str_contains($headerContent, 'for')) {
+					// newer HTTP_FORWARDED format
+					$proxyEntries = explode(',', $headerContent);
+					foreach ($proxyEntries as $proxy) {
+						$parts = explode(';', $proxy);
+						foreach ($parts as $part) {
+							if (str_starts_with(strtolower(ltrim($part)), 'for') && str_contains($part, '=')) {
+								$part = substr($part, strpos($part, '=') + 1, strlen($part));
+								$IPs = array_merge($IPs, explode(',', $part));
 							}
-						} elseif ($colons === 1) {
-							// IPv4 with port
-							$IP = substr($IP, 0, strpos($IP, ':'));
 						}
+					}
+				} else {
+					// old school HTTP_X_FORWARDED_FOR format
+					$IPs = explode(',', $headerContent);
+				}
 
-						if ($this->isTrustedProxy($trustedProxies, $IP)) {
-							continue;
+				// Read the x-forwarded-for headers and values in reverse order as per
+				// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address
+				foreach (array_reverse($IPs) as $IP) {
+					$IP = trim($IP);
+					$colons = substr_count($IP, ':');
+					// $colons == 0 -> IPv4 without port, nothing to do
+					if ($colons === 1) {
+						// IPv4 with port
+						$IP = substr($IP, 0, strpos($IP, ':'));
+					} elseif ($colons > 1) {
+						// Extract IPv6 from string with brackets and optional port
+						if (preg_match('/^\[(.+?)\](?::\d+)?$/', $IP, $matches) && isset($matches[1])) {
+							$IP = $matches[1];
 						}
+					}
 
-						if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
-							return $IP;
-						}
+					if (filter_var($IP, FILTER_VALIDATE_IP) === false) {
+						break;
 					}
+
+					if (!$this->isTrustedProxy($trustedProxies, $IP)) {
+						$remoteAddress = $IP;
+						break;
+					}
+
+					$proxies[] = $IP;
 				}
 			}
 		}
 
-		return $remoteAddress;
+		return ['remote_address' => $remoteAddress, 'proxies' => $proxies];
 	}
 
+
 	/**
 	 * Check overwrite condition
 	 * @return bool
 	 */
 	private function isOverwriteCondition(): bool {
 		$regex = '/' . $this->config->getSystemValueString('overwritecondaddr', '')  . '/';
-		$remoteAddr = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
-		return $regex === '//' || preg_match($regex, $remoteAddr) === 1;
+		if ($regex === '//') {
+			return true;
+		}
+
+		$remoteAddressAndProxyChain = $this->getRemoteAddressAndProxyChain();
+		$remoteAddress = $remoteAddressAndProxyChain['remote_address'];
+		$proxies = $remoteAddressAndProxyChain['proxies'];
+
+		if(preg_match($regex, $remoteAddress) === 1) {
+			return true;
+		}
+
+		foreach ($proxies as $proxy) {
+			if(preg_match($regex, $proxy) === 1) {
+				return true;
+			}
+		}
+
+		return false;
 	}
 
 	/**