From ec1e85ec5dbb643840f5cdd18343f0c1bc335251 Mon Sep 17 00:00:00 2001 From: Andy Janata Date: Mon, 1 Oct 2012 20:12:14 -0700 Subject: [PATCH] Check X-Forwarded-For on the admin pages. Fixes #22. --- WebContent/addcard.jsp | 4 +++- WebContent/admin.jsp | 4 +++- WebContent/cardsets.jsp | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/WebContent/addcard.jsp b/WebContent/addcard.jsp index cd9f853..ed7fb54 100644 --- a/WebContent/addcard.jsp +++ b/WebContent/addcard.jsp @@ -30,10 +30,12 @@ Administration tools. <%@ page import="net.socialgamer.cah.HibernateUtil" %> <%@ page import="net.socialgamer.cah.db.BlackCard" %> <%@ page import="net.socialgamer.cah.db.WhiteCard" %> +<%@ page import="net.socialgamer.cah.RequestWrapper" %> <%@ page import="org.hibernate.Session" %> <%@ page import="org.hibernate.Transaction" %> <% -String remoteAddr = request.getRemoteAddr(); +RequestWrapper wrapper = new RequestWrapper(request); +String remoteAddr = wrapper.getRemoteAddr(); // TODO better access control than hard-coding IP addresses. if (!(remoteAddr.equals("0:0:0:0:0:0:0:1") || remoteAddr.equals("127.0.0.1") || remoteAddr.equals("98.248.33.90") || remoteAddr.equals("207.161.125.132"))) { diff --git a/WebContent/admin.jsp b/WebContent/admin.jsp index 790f4c9..d44238d 100644 --- a/WebContent/admin.jsp +++ b/WebContent/admin.jsp @@ -30,6 +30,7 @@ Administration tools. <%@ page import="com.google.inject.Injector" %> <%@ page import="com.google.inject.Key" %> <%@ page import="com.google.inject.TypeLiteral" %> +<%@ page import="net.socialgamer.cah.RequestWrapper" %> <%@ page import="net.socialgamer.cah.CahModule.BanList" %> <%@ page import="net.socialgamer.cah.Constants.DisconnectReason" %> <%@ page import="net.socialgamer.cah.Constants.LongPollEvent" %> @@ -47,7 +48,8 @@ Administration tools. <%@ page import="java.util.Set" %> <% -String remoteAddr = request.getRemoteAddr(); +RequestWrapper wrapper = new RequestWrapper(request); +String remoteAddr = wrapper.getRemoteAddr(); // TODO better access control than hard-coding IP addresses. if (!(remoteAddr.equals("0:0:0:0:0:0:0:1") || remoteAddr.equals("127.0.0.1") || remoteAddr.equals("98.248.33.90") || remoteAddr.equals("207.161.125.132"))) { diff --git a/WebContent/cardsets.jsp b/WebContent/cardsets.jsp index b25580e..cc498c2 100644 --- a/WebContent/cardsets.jsp +++ b/WebContent/cardsets.jsp @@ -33,11 +33,13 @@ Administration tools. <%@ page import="net.socialgamer.cah.db.BlackCard" %> <%@ page import="net.socialgamer.cah.db.CardSet" %> <%@ page import="net.socialgamer.cah.db.WhiteCard" %> +<%@ page import="net.socialgamer.cah.RequestWrapper" %> <%@ page import="org.apache.commons.lang3.StringEscapeUtils" %> <%@ page import="org.hibernate.Session" %> <%@ page import="org.hibernate.Transaction" %> <% -String remoteAddr = request.getRemoteAddr(); +RequestWrapper wrapper = new RequestWrapper(request); +String remoteAddr = wrapper.getRemoteAddr(); //TODO better access control than hard-coding IP addresses. if (!(remoteAddr.equals("0:0:0:0:0:0:0:1") || remoteAddr.equals("127.0.0.1") || remoteAddr.equals("98.248.33.90") || remoteAddr.equals("207.161.125.132"))) {