meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

From 6b5dfdb31aa503bb0358784c632ff3a04e7a8ff4 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Wed, 4 Jan 2023 13:51:03 +0800
Subject: [PATCH] [DEV-2301] fixed spoofing X-Forwarded-For request header
 allows to access Frontend in maintenace mode

Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e]
CVE: CVE-2022-43515

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 ui/include/classes/user/CWebUser.php | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ui/include/classes/user/CWebUser.php b/ui/include/classes/user/CWebUser.php
index e6e651e..bfacce7 100644
--- a/ui/include/classes/user/CWebUser.php
+++ b/ui/include/classes/user/CWebUser.php
@@ -231,13 +231,11 @@ class CWebUser {
 	}
 
 	/**
-	 * Get user ip address.
+	 * Get user IP address.
 	 *
 	 * @return string
 	 */
 	public static function getIp(): string {
-		return (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '')
-			? $_SERVER['HTTP_X_FORWARDED_FOR']
-			: $_SERVER['REMOTE_ADDR'];
+		return $_SERVER['REMOTE_ADDR'];
 	}
 }
-- 
2.25.1