From 44aa14ddf79949364379a598a2575b3ddb0ae493 Mon Sep 17 00:00:00 2001
From: Tanguy Pruvot <tanguy.pruvot@gmail.com>
Date: Sat, 5 Aug 2017 02:36:34 +0200
Subject: [PATCH] admin: prevent ip spoofing for admin url

---
 web/yaamp/modules/site/SiteController.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/web/yaamp/modules/site/SiteController.php b/web/yaamp/modules/site/SiteController.php
index f8a1ee3..5b153cc 100644
--- a/web/yaamp/modules/site/SiteController.php
+++ b/web/yaamp/modules/site/SiteController.php
@@ -5,12 +5,19 @@ class SiteController extends CommonController
 	public $defaultAction='index';
 
 	///////////////////////////////////////////////////
-
+	// Security Note: You can rename this action as you
+	// want, to customize the admin entrance url...
+	//
 	public function actionAdminRights()
 	{
-		$client_ip = $_SERVER['REMOTE_ADDR'];
-
+		$client_ip = arraySafeVal($_SERVER,'REMOTE_ADDR');
 		$valid = isAdminIP($client_ip);
+
+		if (arraySafeVal($_SERVER,'HTTP_X_FORWARDED_FOR','') != '') {
+			debuglog("admin access attempt via IP spoofing!");
+			$valid = false;
+		}
+
 		if ($valid)
 			debuglog("admin connect from $client_ip");
 		else