[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Thomas Bruederli thomas at roundcube.net
Fri Nov 7 10:30:38 CET 2014


On Thu, Nov 6, 2014 at 4:22 PM, Benoit Panizzon <benoit.panizzon at imp.ch> wrote:
> Hello
>
> I habe been desperately trying to get Roundcube to send the correct
> REMOTE_ADDR of the connecting client to a dovecot IMAP Server which supports
> remote IP logging by x-originating-ip ID command and login_trusted_networks
> setting.
> As google shows, that not only I had this problems, I share the solution and
> hope one of the developers reading here could submit that small fix:
>
> Here are the changes needed for it to work
>
> rcube_imap.php, define the ident option not only if debugging is enabled, and
> add x-originating-ip to the array.
>
>         if ($this->options['debug']) {
>             $this->set_debug(true);
>         } // <= Added
>
>             $this->options['ident'] = array(
>                 'name'    => 'Roundcube',
>                 'version' => RCUBE_VERSION,
>                 'php'     => PHP_VERSION,
>                 'os'      => PHP_OS,
>                 'x-originating-ip'      => $_SERVER['REMOTE_ADDR'], // <=Added
>                 'command' => $_SERVER['REQUEST_URI'],
>             );
> //        }
>
> Now this works as expected and dovecot (including it's post-login script) are
> getting the IP of the connecting webbrowser and not the one of the webserver,
> if the webserver's IP is in login_trusted_networks.

Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't
reflect the client IP if your webserver is behind a reverse proxy or
load balancer. There's rcube_utils::remote_addr() which extracts the
real client IP from the headers such intermediate systems add to the
request.

Best,
Thomas


More information about the dev mailing list