From f2bbc170da404402c67bfd66cd75f45cea107cbf Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Tue, 10 Jun 2025 09:03:00 +0100
Subject: [PATCH] Update how functions.php gets the remote IP address for
 logging

- Builds on PR #1210 to always get the leftmost IP address
- Cloudflare (HTTP_CF_CONNECTING_IP) must now be explicitly defined, otherwise people could add the HTTP_CF_CONNECTING_IP header to a non-Cloudflare host and spoof IPs
- Tidy up the if/else logic a little
---
 functions.php | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/functions.php b/functions.php
index b440ef9e..c6575cdc 100644
--- a/functions.php
+++ b/functions.php
@@ -77,17 +77,21 @@ function getUserAgent() {
 }
 
 function getIP() {
-    if (defined("CONST_GET_IP_METHOD")) {
-        if (CONST_GET_IP_METHOD == "HTTP_X_FORWARDED_FOR") {
-            $ip = getenv('HTTP_X_FORWARDED_FOR');
-        } else {
-            $ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR'];
-        }
-    } else {
+
+    // Default way to get IP
+    $ip = $_SERVER['REMOTE_ADDR'];
+
+    // Allow overrides via config.php in-case we use a proxy - https://docs.itflow.org/config_php
+    if (defined("CONST_GET_IP_METHOD") && CONST_GET_IP_METHOD == "HTTP_X_FORWARDED_FOR") {
+        $ip = explode(',', getenv('HTTP_X_FORWARDED_FOR'))[0] ?? $_SERVER['REMOTE_ADDR'];;
+    } elseif (defined("CONST_GET_IP_METHOD") && CONST_GET_IP_METHOD == "HTTP_CF_CONNECTING_IP") {
         $ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR'];
     }
 
+    // Abort if something isn't right
     if (!filter_var($ip, FILTER_VALIDATE_IP)) {
+        error_log("ITFlow - Could not validate remote IP address");
+        error_log("ITFlow - IP was [$ip] using method " . CONST_GET_IP_METHOD);
         exit("Potential Security Violation");
     }