Version 3.4.0

1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

admin.php

@@ -1,6 +1,6 @@
 <?php
 define("IN_XSS_PLATFORM", true);
-require("auth.php");
+require_once("auth.php");
 ?>
 <!DOCTYPE html>
 <html>

api.php

@@ -1,8 +1,7 @@
 <?php
+error_reporting(0);
 define("IN_XSS_PLATFORM", true);
 require_once('auth.php');
-require_once("load.php");
-require_once("functions.php");
 require_once("dio.php");
 header('Content-Type: application/json');
 

auth.php

@@ -3,12 +3,24 @@
     exit('Access Denied');
 }
 
+require_once("functions.php");
+
 //设置httponly
 ini_set("session.cookie_httponly", 1);
 session_start();
 
 //判断登陆情况，ip和useragent是否改变，改变则强制退出
-if (!(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === $_SERVER['REMOTE_ADDR'] && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT'])) {
+if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
+    $_SESSION['isLogin']    = false;
+    $_SESSION['user_IP']    = "";
+    $_SESSION['user_agent'] = "";
+    session_unset();
+    session_destroy();
+    header("Location: login.php");
+    exit();
+}
+
+if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
     $_SESSION['isLogin']    = false;
     $_SESSION['user_IP']    = "";
     $_SESSION['user_agent'] = "";

config-sample.php

@@ -11,6 +11,8 @@
 define("ENCRYPT_PASS", "bluelotus"); //加密密码
 define("ENCRYPT_TYPE", "RC4"); //加密方法（AES或RC4）
 define("KEEP_SESSION", true); //是否启用KEEP_SESSION功能，需要外部定时访问keepsession.php
+define("ADMIN_IP_CHECK_ENABLE", true);//是否启用管理员ip认证，启用后，当xss平台发现ip变化，将会踢出管理员要求重新登录，如果发现经常异常退出控制面板，请关闭此项认证
+define("XFF_ENABLE", false);//是否使用HTTP_X_FORWARDED_FOR的地址来代替REMOTE_ADDR，当且仅当存在反代的情况下才须开启，开启须谨慎！
 define("IPDATA_PATH", "qqwry.dat"); //ip归属地数据库地址
 
 /*邮件通知相关配置*/

dio.php

@@ -2,7 +2,6 @@
 if ( !defined('IN_XSS_PLATFORM') ) {
     exit('Access Denied');
 }
-require_once("load.php");
 require_once("functions.php");
 
 //时间戳的正则表达式

functions.php

@@ -121,6 +121,27 @@ function decrypt($info) {
     return $info;
 }
 
+//获得访问者真实ip
+function getRealIP(){
+    $ip="unknown";
+    if (XFF_ENABLE) {
+        foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_VIA', 'HTTP_FROM', 'REMOTE_ADDR') as $v) {
+            if (isset($_SERVER[$v])) {
+                if (! preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $_SERVER[$v])) {
+                    continue;
+                }
+                $ip = $_SERVER[$v];
+				break;
+            }
+        }
+    }
+    else {
+        if ( isset($_SERVER['REMOTE_ADDR']) )
+            $ip = $_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+
 //基于Discuz X3.1 function_misc.php 函数已过滤，可直接输出
 function convertip($ip, $ipdatafile) {
     $ipaddr = '未知';

index.php

@@ -3,20 +3,19 @@
 ignore_user_abort(true);
 error_reporting(0);
 
-//sometimes we only need "referfer".
+//sometimes we only need "referer".
 
 /*
 if(count($_GET)==0&&count($_POST)==0&&count($_COOKIE)==0)
 exit();
 */
 header("Access-Control-Allow-Origin:*");
-require_once("load.php");
 require_once("functions.php");
 require_once("dio.php");
 
 $info = array();
 
-$user_IP        = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "unknown";
+$user_IP        = getRealIP();
 $user_port      = isset($_SERVER['REMOTE_PORT']) ? $_SERVER['REMOTE_PORT'] : "unknown";
 $protocol       = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : "unknown";
 $request_method = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : "unknown";