From 47efedf23cc45bb2425a183bcc1ac998380c45c4 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Fri, 18 Sep 2015 22:31:01 +0200
Subject: [PATCH] traffic limiter would fail behind a reverse proxy / load
 balancer. Adding configuration option to set the trusted HTTP header to get
 the visitors IP in such a case (avoiding security issue if malicious clients
 just set these headers themselfs)

---
 cfg/conf.ini    |  6 ++++++
 lib/zerobin.php | 11 ++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cfg/conf.ini b/cfg/conf.ini
index 3122581..dff69c1 100644
--- a/cfg/conf.ini
+++ b/cfg/conf.ini
@@ -71,6 +71,12 @@ markdown = "Markdown"
 ; time limit between calls from the same IP address in seconds
 ; Set this to 0 to disable rate limiting.
 limit = 10
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+; header = "X_FORWARDED_FOR"
+
+; directory to store the traffic limits in
 dir = PATH "data"
 
 [model]
diff --git a/lib/zerobin.php b/lib/zerobin.php
index 7d0b2cf..5de2710 100644
--- a/lib/zerobin.php
+++ b/lib/zerobin.php
@@ -223,7 +223,16 @@ class zerobin
         // Make sure last paste from the IP address was more than X seconds ago.
         trafficlimiter::setLimit($this->_conf['traffic']['limit']);
         trafficlimiter::setPath($this->_conf['traffic']['dir']);
-        if (!trafficlimiter::canPass($_SERVER['REMOTE_ADDR']))
+        $ipKey = 'REMOTE_ADDR';
+        if (array_key_exists('header', $this->_conf['traffic']))
+        {
+            $header = 'HTTP_' . $this->_conf['traffic']['header'];
+            if (array_key_exists($header, $_SERVER) && !empty($_SERVER[$header]))
+            {
+                $ipKey = $header;
+            }
+        }
+        if (!trafficlimiter::canPass($_SERVER[$ipKey]))
         {
             $this->_return_message(
                 1,