Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.641 diff -u -F^f -r1.641 common.inc --- includes/common.inc 15 May 2007 20:19:47 -0000 1.641 +++ includes/common.inc 17 May 2007 03:34:06 -0000 @@ -801,7 +801,7 @@ function valid_url($url, $absolute = FAL * The name of the event. */ function flood_register_event($name) { - db_query("INSERT INTO {flood} (event, hostname, timestamp) VALUES ('%s', '%s', %d)", $name, $_SERVER['REMOTE_ADDR'], time()); + db_query("INSERT INTO {flood} (event, hostname, timestamp) VALUES ('%s', '%s', %d)", $name, remote_addr(), time()); } /** @@ -817,7 +817,7 @@ function flood_register_event($name) { * True if the user did not exceed the hourly threshold. False otherwise. */ function flood_is_allowed($name, $threshold) { - $number = db_num_rows(db_query("SELECT event FROM {flood} WHERE event = '%s' AND hostname = '%s' AND timestamp > %d", $name, $_SERVER['REMOTE_ADDR'], time() - 3600)); + $number = db_num_rows(db_query("SELECT event FROM {flood} WHERE event = '%s' AND hostname = '%s' AND timestamp > %d", $name, remote_addr(), time() - 3600)); return ($number < $threshold ? TRUE : FALSE); } @@ -2651,3 +2651,19 @@ function watchdog_severity_levels() { WATCHDOG_DEBUG => t('debug'), ); } + + +/** + * @return + * IP address of the originating client, adjusted for proxy headers + * + */ +function remote_addr() { + $ip = $_SERVER['REMOTE_ADDR']; + // If Drupal is behind a proxy, we use the X-Forwarded-For header + // instead of the straight IP address + if ($_SERVER['HTTP_X_FORWARDED_FOR']) { + $ip = check_plain(filter_xss($_SERVER['HTTP_X_FORWARDED_FOR'])); + } + return $ip; +} Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.165 diff -u -F^f -r1.165 bootstrap.inc --- includes/bootstrap.inc 8 May 2007 16:36:55 -0000 1.165 +++ includes/bootstrap.inc 17 May 2007 03:34:07 -0000 @@ -703,7 +703,7 @@ function watchdog($type, $message, $vari 'user' => $user, 'request_uri' => $base_root . request_uri(), 'referer' => referer_uri(), - 'ip' => $_SERVER['REMOTE_ADDR'], + 'ip' => remote_addr(), 'timestamp' => time(), ); @@ -819,7 +819,7 @@ function drupal_is_denied($type, $mask) function drupal_anonymous_user($session = '') { $user = new stdClass(); $user->uid = 0; - $user->hostname = $_SERVER['REMOTE_ADDR']; + $user->hostname = remote_addr(); $user->roles = array(); $user->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user'; $user->session = $session; @@ -881,9 +881,9 @@ function _drupal_bootstrap($phase) { case DRUPAL_BOOTSTRAP_ACCESS: // Deny access to hosts which were banned - t() is not yet available. - if (drupal_is_denied('host', $_SERVER['REMOTE_ADDR'])) { + if (drupal_is_denied('host', remote_addr())) { header('HTTP/1.1 403 Forbidden'); - print 'Sorry, '. $_SERVER['REMOTE_ADDR'] .' has been banned.'; + print 'Sorry, '. remote_addr() .' has been banned.'; exit(); } break; Index: includes/session.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/session.inc,v retrieving revision 1.39 diff -u -F^f -r1.39 session.inc --- includes/session.inc 27 Apr 2007 07:47:38 -0000 1.39 +++ includes/session.inc 17 May 2007 03:34:07 -0000 @@ -69,11 +69,11 @@ function sess_write($key, $value) { // and gives more useful statistics. We can't eliminate anonymous session // table rows without breaking throttle module and "Who's Online" block. if ($user->uid || $value || count($_COOKIE)) { - db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', $_SERVER["REMOTE_ADDR"], $value, time()); + db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, isset($user->cache) ? $user->cache : '', remote_addr(), $value, time()); } } else { - db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', $_SERVER["REMOTE_ADDR"], $value, time(), $key); + db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, isset($user->cache) ? $user->cache : '', remote_addr(), $value, time(), $key); // TODO: this can be an expensive query. Perhaps only execute it every x minutes. Requires investigation into cache expiration. if ($user->uid) { Index: modules/comment/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v retrieving revision 1.542 diff -u -F^f -r1.542 comment.module --- modules/comment/comment.module 14 May 2007 13:43:35 -0000 1.542 +++ modules/comment/comment.module 17 May 2007 03:34:08 -0000 @@ -820,7 +820,7 @@ function comment_save($edit) { } $edit += array('mail' => '', 'homepage' => ''); - db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], $_SERVER['REMOTE_ADDR'], $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']); + db_query("INSERT INTO {comments} (cid, nid, pid, uid, subject, comment, format, hostname, timestamp, status, score, users, thread, name, mail, homepage) VALUES (%d, %d, %d, %d, '%s', '%s', %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s')", $edit['cid'], $edit['nid'], $edit['pid'], $edit['uid'], $edit['subject'], $edit['comment'], $edit['format'], remote_addr(), $edit['timestamp'], $status, $score, $users, $thread, $edit['name'], $edit['mail'], $edit['homepage']); _comment_update_node_statistics($edit['nid']); Index: modules/poll/poll.module =================================================================== RCS file: /cvs/drupal/drupal/modules/poll/poll.module,v retrieving revision 1.228 diff -u -F^f -r1.228 poll.module --- modules/poll/poll.module 14 May 2007 13:43:36 -0000 1.228 +++ modules/poll/poll.module 17 May 2007 03:34:09 -0000 @@ -308,7 +308,7 @@ function poll_load($node) { $result = db_fetch_object(db_query('SELECT chorder FROM {poll_votes} WHERE nid = %d AND uid = %d', $node->nid, $user->uid)); } else { - $result = db_fetch_object(db_query("SELECT chorder FROM {poll_votes} WHERE nid = %d AND hostname = '%s'", $node->nid, $_SERVER['REMOTE_ADDR'])); + $result = db_fetch_object(db_query("SELECT chorder FROM {poll_votes} WHERE nid = %d AND hostname = '%s'", $node->nid, remote_addr())); } if (isset($result->chorder)) { $poll->vote = $result->chorder; Index: modules/statistics/statistics.module =================================================================== RCS file: /cvs/drupal/drupal/modules/statistics/statistics.module,v retrieving revision 1.258 diff -u -F^f -r1.258 statistics.module --- modules/statistics/statistics.module 30 Apr 2007 17:03:27 -0000 1.258 +++ modules/statistics/statistics.module 17 May 2007 03:34:09 -0000 @@ -68,7 +68,7 @@ function statistics_exit() { } if ((variable_get('statistics_enable_access_log', 0)) && (module_invoke('throttle', 'status') == 0)) { // Log this page access. - db_query("INSERT INTO {accesslog} (title, path, url, hostname, uid, sid, timer, timestamp) values('%s', '%s', '%s', '%s', %d, '%s', %d, %d)", strip_tags(drupal_get_title()), $_GET['q'], referer_uri(), $_SERVER['REMOTE_ADDR'], $user->uid, session_id(), timer_read('page'), time()); + db_query("INSERT INTO {accesslog} (title, path, url, hostname, uid, sid, timer, timestamp) values('%s', '%s', '%s', '%s', %d, '%s', %d, %d)", strip_tags(drupal_get_title()), $_GET['q'], referer_uri(), remote_addr(), $user->uid, session_id(), timer_read('page'), time()); } }