From c084ebc0d46b44266926925eface582a8a03da80 Mon Sep 17 00:00:00 2001
From: vsilvar <vsilvar@users.noreply.github.com>
Date: Mon, 12 Nov 2018 18:12:09 +0000
Subject: [PATCH] Re-check remote IP if trusted, fixes #168

The fix for #168 was not complete, as the last suggested change was never pulled.
This fixes the problem that IP checks are done before $acptip is updated with the remote IP, by re-checking when set.

Another possible fix would be to only check IP's after reading the headers, but imo it is best to deny access as soon as possible.
---
 miniserv.pl | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/miniserv.pl b/miniserv.pl
index 211b25f0e..25fe55aa1 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -1458,6 +1458,24 @@ if ($config{'trust_real_ip'}) {
 		# If a remote IP was given, use it for all access control checks
 		# from now on.
 		$acptip = $headerhost;
+		
+		# re-check remote address against access list
+		if (@deny && &ip_match($acptip, $localip, @deny) ||
+		    @allow && !&ip_match($acptip, $localip, @allow)) {
+			&http_error(403, "Access denied for ".&html_strip($acptip));
+			return 0;
+			}
+		
+		if ($use_libwrap) {
+			# Check address with TCP-wrappers
+			if (!hosts_ctl($config{'pam'}, STRING_UNKNOWN,
+				       $acptip, STRING_UNKNOWN)) {
+				&http_error(403, "Access denied for ".&html_strip($acptip).
+						 " by TCP wrappers");
+				return 0;
+				}
+			}
+		print DEBUG "handle_request: passed Remote IP checks\n";
 		}
 	$loghost = $acpthost;
 	}