Use ctx.RemoteAddr() to get the real ip instead of getting it from the http header

ByLCY · ByLCY · commit 0821c09d4be8 · 2023-01-19T18:48:50.000+08:00
Signed-off-by: ByLCY &lt;bylcy@bylcy.dev&gt;
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -790,7 +790,6 @@ ROUTER = console
 ;; Go to https://dash.cloudflare.com/?to=/:account/turnstile to sign up for a key
 ;CF_TURNSTILE_SITEKEY =
 ;CF_TURNSTILE_SECRET =
-;CF_REVERSE_PROXY_HEADER =
 ;;
 ;; Default value for KeepEmailPrivate
 ;; Each new user will get the value of this setting copied into their profile
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -655,7 +655,6 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: Set the mCaptcha URL.
 - `CF_TURNSTILE_SECRET` **""**: Go to https://dash.cloudflare.com/?to=/:account/turnstile to get a secret for cloudflare turnstile.
 - `CF_TURNSTILE_SITEKEY` **""**: Go to https://dash.cloudflare.com/?to=/:account/turnstile to get a sitekey for cloudflare turnstile.
-- `CF_REVERSE_PROXY_HEADER` **""**: The http header where the user's real ip is located. Otherwise it should be `""`.
 - `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
 - `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
 - `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
diff --git a/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md b/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
@@ -158,7 +158,6 @@ menu:
 - `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: 设置 remCaptchacaptcha 的 url 。
 - `CF_TURNSTILE_SECRET` **""**: cloudlfare turnstile 服务的密钥，可在 https://dash.cloudflare.com/?to=/:account/turnstile 获取。
 - `CF_TURNSTILE_SITEKEY` **""**: cloudlfare turnstile 服务的网站密钥 ，可在 https://www.google.com/recaptcha/admin 获取。
-- `CF_REVERSE_PROXY_HEADER` **""**: http 的 header 字段，用于获取客户端的 ip 供 cloudflare turnstile 验证时使用。如果没有反向代理设置这里应设置为 `""` 。
 
 ### Service - Expore (`service.explore`)
 
diff --git a/modules/context/captcha.go b/modules/context/captcha.go
@@ -5,6 +5,7 @@ package context
 
 import (
 	"fmt"
+	"net"
 	"sync"
 
 	"code.gitea.io/gitea/modules/base"
@@ -78,10 +79,9 @@ func VerifyCaptcha(ctx *Context, tpl base.TplName, form interface{}) {
 		valid, err = mcaptcha.Verify(ctx, ctx.Req.Form.Get(mCaptchaResponseField))
 	case setting.CfTurnstile:
 		var ip string
-		if setting.Service.CfReverseProxyHeader == "" {
-			ip = ctx.RemoteAddr()
-		} else {
-			ip = ctx.Req.Header.Get(setting.Service.CfReverseProxyHeader)
+		ip, _, err = net.SplitHostPort(ctx.RemoteAddr())
+		if err != nil {
+			break
 		}
 		valid, err = turnstile.Verify(ctx, ctx.Req.Form.Get(cfTurnstileResponseField), ip)
 	default:
diff --git a/modules/setting/service.go b/modules/setting/service.go
@@ -48,7 +48,6 @@ var Service = struct {
 	RecaptchaURL                            string
 	CfTurnstileSecret                       string
 	CfTurnstileSitekey                      string
-	CfReverseProxyHeader                    string
 	HcaptchaSecret                          string
 	HcaptchaSitekey                         string
 	McaptchaSecret                          string
@@ -142,7 +141,6 @@ func newService() {
 	Service.RecaptchaURL = sec.Key("RECAPTCHA_URL").MustString("https://www.google.com/recaptcha/")
 	Service.CfTurnstileSecret = sec.Key("CF_TURNSTILE_SECRET").MustString("")
 	Service.CfTurnstileSitekey = sec.Key("CF_TURNSTILE_SITEKEY").MustString("")
-	Service.CfReverseProxyHeader = sec.Key("CF_REVERSE_PROXY_HEADER").MustString("")
 	Service.HcaptchaSecret = sec.Key("HCAPTCHA_SECRET").MustString("")
 	Service.HcaptchaSitekey = sec.Key("HCAPTCHA_SITEKEY").MustString("")
 	Service.McaptchaURL = sec.Key("MCAPTCHA_URL").MustString("https://demo.mcaptcha.org/")
diff --git a/modules/turnstile/turnstile.go b/modules/turnstile/turnstile.go
@@ -52,10 +52,10 @@ func Verify(ctx context.Context, response, ip string) (bool, error) {
 	}
 
 	var jsonResponse Response
-	err = json.Unmarshal(body, &jsonResponse)
-	if err != nil {
+	if err := json.Unmarshal(body, &jsonResponse); err != nil {
 		return false, fmt.Errorf("Failed to parse CAPTCHA response: %s", err)
 	}
+
 	var respErr error
 	if len(jsonResponse.ErrorCodes) > 0 {
 		respErr = jsonResponse.ErrorCodes[0]

Original file line number	Diff line number	Diff line change
`@@ -52,10 +52,10 @@ func Verify(ctx context.Context, response, ip string) (bool, error) {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`var jsonResponse Response`
`55`		`- err = json.Unmarshal(body, &jsonResponse)`
`56`		`- if err != nil {`
	`55`	`+ if err := json.Unmarshal(body, &jsonResponse); err != nil {`
`57`	`56`	`return false, fmt.Errorf("Failed to parse CAPTCHA response: %s", err)`
`58`	`57`	`}`
	`58`	`+`
`59`	`59`	`var respErr error`
`60`	`60`	`if len(jsonResponse.ErrorCodes) > 0 {`
`61`	`61`	`respErr = jsonResponse.ErrorCodes[0]`