getClientIP check headers should be updated and re arranged

Started by razor7, May 19, 2015, 14:29:17 PM

Previous topic - Next topic

razor7

Hi, several days ago I released my new website with J! 3.4.1 and VM 3.0.8 and all was just fine, until I tested PayPal on the live site.

In my production server I was getting this error log on each order purchase...
QuoteError with REMOTE IP ADDRESS = 173.245.54.10.
                        The remote address of the script posting to this notify script does not match a valid PayPal IP address

            These are the valid IP Addresses: 173.0.82.126The Order ID received was: ab2e05

So, after a little bit debugging I found the issue was in funcion getClientIP of ShopFunctions helper class. In my case, I'm using CloudFlare services to speed up my site, so the client IP of every HTTP request is changed by CF own servers IP, to fix that, I suggest a little rework of the function to include the CF header HTTP_CF_CONNECTING_IP and rework it like this. Note that REMOTE_ADDR header check should go to the end of the array, if not, It will allways return that IP first, that in my case, was allways CF IPs...


    static function getClientIP() {
$ip_keys = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED_PROTO', 'REMOTE_ADDR');
$extra = VmConfig::get('revproxvar','');

if(!empty($extra)) {
$extra = explode(',', $extra);
$ip_keys = array_merge($extra, $ip_keys);
}

foreach ($ip_keys as $key) {
if (array_key_exists($key, $_SERVER) === true) {
foreach (explode(',', $_SERVER[$key]) as $ip) {
// trim for safety measures
$ip = trim($ip);
// attempt to validate IP
if (self::validateIp($ip)) {
return $ip;
}
}
}
}

return false;
}


Just for the record, there you have an HTTP header of the PayPal IPN request through CF servers.

QuoteCONTENT_TYPE: application/x-www-form-urlencoded
DOCUMENT_ROOT: /home/555/public_html
GATEWAY_INTERFACE: CGI/1.1
HTTP_ACCEPT_ENCODING: gzip
HTTP_AUTHORIZATION:
HTTP_CF_CONNECTING_IP: 173.0.82.126
HTTP_CF_IPCOUNTRY: US
HTTP_CF_RAY: 1e7a76bef3f70880-IAD
HTTP_CF_VISITOR: {"scheme":"http"}
HTTP_CONNECTION: Keep-Alive
HTTP_HOST: www.eee.com
HTTP_USER_AGENT: PayPal IPN ( https://www.paypal.com/ipn )
HTTP_X_FORWARDED_FOR: 173.0.82.126
HTTP_X_FORWARDED_PROTO: http
PATH: /bin:/usr/bin
PHPRC: /home/555/.phpini/php.ini
QUERY_STRING: option=com_virtuemart&view=vmplg&task=notify&tmpl=component&lang=es-ES
REDIRECT_STATUS: 200
REMOTE_ADDR: 173.245.54.10
REMOTE_PORT: 61685
REQUEST_METHOD: POST
REQUEST_URI: /index.php?option=com_virtuemart&view=vmplg&task=notify&tmpl=component&lang=es-ES
SCRIPT_FILENAME: /home/555/public_html/index.php
SCRIPT_NAME: /index.php
SERVER_ADDR: 216.227.215.225
SERVER_ADMIN: webmaster@eee.com
SERVER_NAME: www.eee.com
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SIGNATURE:
SERVER_SOFTWARE: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.6
UNIQUE_ID: VVfCatjj1@EAACPGCYIAAAAm
PHP_SELF: /index.php
REQUEST_TIME: 1431814762
argv: Array
argc: 1

EDIT: Edited function to take into account the new VM3 config var revproxvar to add extra headers for checking.
MGS Creativa - VirtueMart Payment Plugin Experts
http://www.mgscreativa.com

Take a look at our downloads section for VirtueMart payment plugins and mouch more!
http://www.mgscreativa.com/en/online-store

Milbo

ah, okey makes sense to put the REMOTE_ADDR at the end.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

razor7

Great, thanks for considering the fix, also have in mind that the array_merge should be like this array_merge($extra, $ip_keys); and the last line should return false, because if everything else failed (included REMOTE_ADDRE ) there must be another issue...
MGS Creativa - VirtueMart Payment Plugin Experts
http://www.mgscreativa.com

Take a look at our downloads section for VirtueMart payment plugins and mouch more!
http://www.mgscreativa.com/en/online-store

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/