auth: fix HTTP_REVER checks by reverts for now

This reverts commit 92a5f77ad533ac1770bdcc0a39b8faca7aab8cfd. This reverts commit 681f654c2f7f8747738cfe115f6399bff56bc319.
2026-03-17 01:54:49 +00:00 · 2015-07-31 15:06:26 +02:00 · 2015-07-31 15:06:26 +02:00 · d4adfc301e
commit d4adfc301e
parent 27f7022bab
2 changed files with 33 additions and 35 deletions
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@ -38,7 +38,8 @@

 /* include globals from notices.inc /utility/XML parser files */
 require_once("radius.inc");
-
+require_once("interfaces.inc");
+require_once("util.inc");

 // Will be changed to false if security checks fail
 $security_passed = true;
@ -147,8 +148,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui']['
 					}

 			if(!$found_host) {
-				$found_host = isAuthLocalIP($referrer_host) ;
-
+				$interface_list_ips = get_configured_ip_addresses();
+				foreach($interface_list_ips as $ilips) {
+					if(strcasecmp($referrer_host, $ilips) == 0) {
+						$found_host = true;
+						break;
+					}
+				}
+				$interface_list_ipv6s = get_configured_ipv6_addresses();
+				foreach($interface_list_ipv6s as $ilipv6s) {
+					if(strcasecmp($referrer_host, $ilipv6s) == 0) {
+						$found_host = true;
+						break;
+					}
+				}
 				if($referrer_host == "127.0.0.1" || $referrer_host == "localhost") {
 					// allow SSH port forwarded connections and links from localhost
 					$found_host = true;
@ -175,35 +188,6 @@ unset($security_passed);
 $groupindex = index_groups();
 $userindex = index_users();

-/**
- * check if $http_host is a local configured ip address
- */
-function isAuthLocalIP($http_host) {
-    global $config;
-    $local_ip = false;
-    if (isset($config['interfaces'])) {
-	foreach($config['interfaces'] as $if => $ifdetail) {
-		if (isset($ifdetail['enable'])) {
-			if (isset($ifdetail['ipaddr']) && $ifdetail['ipaddr'] == $http_host) {
-				$local_ip = true;
-			} elseif (isset($ifdetail['ipaddr6']) && $ifdetail['ipaddr6'] == $http_host) {
-				$local_ip = true;
-			}
-		}
-	}
-    }
-
-    if (isset($config['virtualip']['vip'])) {
-        foreach ($config['virtualip']['vip'] as $vip) {
-            if ($vip['subnet'] == $http_host) {
-                $local_ip = true;
-            }
-        }
-    }
-
-    return $local_ip;
-}
-
 function index_groups()
 {
 	global $config, $groupindex;
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@ -31,6 +31,7 @@
 */

 require_once("auth.inc");
+require_once("filter.inc");

 // provided via legacy_bindings.inc
 global $priv_list;
@ -385,6 +386,7 @@ function display_login_form()

    /* Check against locally configured IP addresses, which will catch when someone
 	   port forwards WebGUI access from WAN to an internal IP on the router. */
+    $FilterIflist = filter_generate_optcfg_array() ;
    $local_ip = false;
    if (strstr($_SERVER['HTTP_HOST'], ":")) {
        $http_host_port = explode(":", $_SERVER['HTTP_HOST']);
@ -392,10 +394,22 @@ function display_login_form()
    } else {
        $http_host = $_SERVER['HTTP_HOST'];
    }
+    foreach ($FilterIflist as $iflist) {
+        if ($iflist['ip'] == $http_host) {
+            $local_ip = true;
+        }
+        if ($iflist['ipv6'] == $http_host) {
+            $local_ip = true;
+        }
+    }

-    // fix, local ip check was previously done using "filter_generate_optcfg_array" which basically includes alomst everything here.
-    // this should do the trick as well.
-    $local_ip = isAuthLocalIP($http_host);
+    if (isset($config['virtualip']['vip'])) {
+        foreach ($config['virtualip']['vip'] as $vip) {
+            if ($vip['subnet'] == $http_host) {
+                $local_ip = true;
+            }
+        }
+    }

    if (isset($config['openvpn']['openvpn-server'])) {
        foreach ($config['openvpn']['openvpn-server'] as $ovpns) {