2 files changed, 53 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index b71ae88463..761831cc16 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ PHP                                                                        NEWS
   node). (Tony)
 - Fixed bug #40428 (imagepstext() doesn't accept optional parameter). (Pierre)
 - Fixed bug #40410 (ext/posix does not compile on MacOS 10.3.9). (Tony)
+- Fixed Bug #40352 (FCGI_WEB_SERVER_ADDRS function get lost). (Dmitry)
 - Fixed bug #40236 (php -a function allocation eats memory). (Dmitry)
 - Fixed bug #40109 (iptcembed fails on non-jfif jpegs). (Tony)
 - Fixed bug #39836 (SplObjectStorage empty after unserialize). (Marcus)
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index df8c7ff06e..743c90eee9 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -153,6 +153,8 @@ static DWORD WINAPI fcgi_shutdown_thread(LPVOID arg)
 
 #else
 
+static in_addr_t *allowed_clients = NULL;
+
 static void fcgi_signal_handler(int signo)
 {
 	if (signo == SIGUSR1 || signo == SIGTERM) {
@@ -317,6 +319,38 @@ int fcgi_listen(const char *path, int backlog)
 
 	if (!tcp) {
 		chmod(path, 0777);
+	} else {
+	    char *ip = getenv("FCGI_WEB_SERVER_ADDRS");
+	    char *cur, *end;
+	    int n;
+	    
+	    if (ip) {
+	    	ip = strdup(ip);
+	    	cur = ip;
+	    	n = 0;
+	    	while (*cur) {
+	    		if (*cur == ',') n++;
+	    		cur++;
+	    	}
+	    	allowed_clients = malloc(sizeof(in_addr_t) * (n+2));
+	    	n = 0;
+	    	cur = ip;
+	    	while (cur) {
+		    	end = strchr(cur, ',');
+		    	if (end) {
+	    			*end = 0;
+	    			end++;
+	    		}
+	    		allowed_clients[n] = inet_addr(cur);
+	    		if (allowed_clients[n] == INADDR_NONE) {
+					fprintf(stderr, "Wrong IP address '%s' in FCGI_WEB_SERVER_ADDRS\n", cur);
+	    		}
+	    		n++;
+	    		cur = end;
+	    	}
+	    	allowed_clients[n] = INADDR_NONE;
+			free(ip);
+		}
 	}
 
 	if (!is_initialized) {
@@ -689,6 +723,24 @@ int fcgi_accept_request(fcgi_request *req)
 					FCGI_LOCK(req->listen_socket);
 					req->fd = accept(req->listen_socket, (struct sockaddr *)&sa, &len);
 					FCGI_UNLOCK(req->listen_socket);
+					if (req->fd >= 0 && allowed_clients) {
+						int n = 0;
+						int allowed = 0;
+
+			    		while (allowed_clients[n] != INADDR_NONE) {
+			    			if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
+			    				allowed = 1;
+			    				break;
+			    			}
+			    			n++;
+			    		}
+						if (!allowed) {
+							fprintf(stderr, "Connection from disallowed IP address '%s' is dropped.\n", inet_ntoa(sa.sa_inet.sin_addr));
+							close(req->fd);
+							req->fd = -1;
+							continue;
+						}
+					}
 				}
 #endif