Skip to content

Commit c837a6d

Browse files
ScIT-RaphaelScIT-Raphael
authored
Merge pull request hestiacp#1492 from hestiacp/fix/2020-12-api_auth_logging
API logging issues with hash key
2 parents 6dbdc13 + 190397e commit c837a6d

File tree

1 file changed

+32
-12
lines changed

1 file changed

+32
-12
lines changed

web/api/index.php

Lines changed: 32 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,33 @@
11
<?php
22
define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
33

4+
function get_real_user_ip(){
5+
$ip = $_SERVER['REMOTE_ADDR'];
6+
if(isset($_SERVER['HTTP_CLIENT_IP'])){
7+
$ip = $_SERVER['HTTP_CLIENT_IP'];
8+
}
9+
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
10+
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
11+
}
12+
if(isset($_SERVER['HTTP_FORWARDED_FOR'])){
13+
$ip = $_SERVER['HTTP_FORWARDED_FOR'];
14+
}
15+
if(isset($_SERVER['HTTP_X_FORWARDED'])){
16+
$ip = $_SERVER['HTTP_X_FORWARDED'];
17+
}
18+
if(isset($_SERVER['HTTP_FORWARDED'])){
19+
$ip = $_SERVER['HTTP_FORWARDED'];
20+
}
21+
if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
22+
if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
23+
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
24+
}
25+
}
26+
return $ip;
27+
}
28+
429
function api($hst_hash, $hst_user, $hst_password, $hst_returncode, $hst_cmd, $hst_arg1, $hst_arg2, $hst_arg3, $hst_arg4, $hst_arg5, $hst_arg6, $hst_arg7, $hst_arg8, $hst_arg9){
5-
//This exists, so native JSON can be used without the repeating the code twice, so future code changes are easier and dont need to be replicated twice
30+
//This exists, so native JSON can be used without the repeating the code twice, so future code changes are easier and don't need to be replicated twice
631
// Authentication
732
if (empty($hst_hash)) {
833
if ($hst_user != 'admin') {
@@ -15,7 +40,7 @@ function api($hst_hash, $hst_user, $hst_password, $hst_returncode, $hst_cmd, $hs
1540
echo 'Error: missing authentication';
1641
exit;
1742
}
18-
$v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
43+
$v_ip = escapeshellarg(get_real_user_ip());
1944
$output = '';
2045
exec (HESTIA_CMD."v-get-user-salt admin ".$v_ip." json" , $output, $return_var);
2146
$pam = json_decode(implode('', $output), true);
@@ -53,16 +78,11 @@ function api($hst_hash, $hst_user, $hst_password, $hst_returncode, $hst_cmd, $hs
5378
}
5479
} else {
5580
$key = '/usr/local/hestia/data/keys/' . basename($hst_hash);
56-
if (file_exists($key) && is_file($key)) {
57-
exec(HESTIA_CMD ."v-check-api-key ".escapeshellarg($key)." ".$v_ip, $output, $return_var);
58-
unset($output);
59-
60-
// Check API answer
61-
if ( $return_var > 0 ) {
62-
echo 'Error: authentication failed';
63-
exit;
64-
}
65-
} else {
81+
$v_ip = escapeshellarg(get_real_user_ip());
82+
exec(HESTIA_CMD ."v-check-api-key ".escapeshellarg($key)." ".$v_ip, $output, $return_var);
83+
unset($output);
84+
// Check API answer
85+
if ( $return_var > 0 ) {
6686
echo 'Error: authentication failed';
6787
exit;
6888
}

0 commit comments

Comments
 (0)