dépôts / lhc / web / wiklou.git / blob
? search:


42e39a8de71ada6659c6d9f5d526ba7748722df3
[lhc/web/wiklou.git] / includes / ProxyTools.php
1 <?php
2 if ( ! defined( 'MEDIAWIKI' ) )
3 die();
4 /**
5 * Functions for dealing with proxies
6 * @package MediaWiki
7 */
8
9 /** Work out the IP address based on various globals */
10 function wfGetIP() {
11 global $wgSquidServers, $wgSquidServersNoPurge, $wgIP;
12
13 # Return cached result
14 if ( !empty( $wgIP ) ) {
15 return $wgIP;
16 }
17
18 /* collect the originating ips */
19 # Client connecting to this webserver
20 if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
21 $ipchain = array( $_SERVER['REMOTE_ADDR'] );
22 } else {
23 # Running on CLI?
24 $ipchain = array( '127.0.0.1' );
25 }
26 $ip = $ipchain[0];
27
28 # Get list of trusted proxies
29 # Flipped for quicker access
30 $trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) );
31 if ( count( $trustedProxies ) ) {
32 # Append XFF on to $ipchain
33 if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
34 $xff = array_map( 'trim', explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
35 $xff = array_reverse( $xff );
36 $ipchain = array_merge( $ipchain, $xff );
37 }
38 # Step through XFF list and find the last address in the list which is a trusted server
39 # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private)
40 foreach ( $ipchain as $i => $curIP ) {
41 if ( array_key_exists( $curIP, $trustedProxies ) ) {
42 if ( isset( $ipchain[$i + 1] ) && wfIsIPPublic( $ipchain[$i + 1] ) ) {
43 $ip = $ipchain[$i + 1];
44 }
45 } else {
46 break;
47 }
48 }
49 }
50
51 wfDebug( "IP: $ip\n" );
52 $wgIP = $ip;
53 return $ip;
54 }
55
56 /**
57 * Given an IP address in dotted-quad notation, returns an unsigned integer.
58 * Like ip2long() except that it actually works and has a consistent error return value.
59 */
60 function wfIP2Unsigned( $ip ) {
61 $n = ip2long( $ip );
62 if ( $n == -1 || $n === false ) { # Return value on error depends on PHP version
63 $n = false;
64 } elseif ( $n < 0 ) {
65 $n += pow( 2, 32 );
66 }
67 return $n;
68 }
69
70 /**
71 * Return a zero-padded hexadecimal representation of an IP address
72 */
73 function wfIP2Hex( $ip ) {
74 $n = wfIP2Unsigned( $ip );
75 if ( $n !== false ) {
76 $n = sprintf( '%08X', $n );
77 }
78 return $n;
79 }
80
81 /**
82 * Determine if an IP address really is an IP address, and if it is public,
83 * i.e. not RFC 1918 or similar
84 */
85 function wfIsIPPublic( $ip ) {
86 $n = wfIP2Unsigned( $ip );
87 if ( !$n ) {
88 return false;
89 }
90
91 static $privateRanges = false;
92 if ( !$privateRanges ) {
93 $privateRanges = array(
94 array( '10.0.0.0', '10.255.255.255' ), # RFC 1918 (private)
95 array( '172.16.0.0', '172.31.255.255' ), # "
96 array( '192.168.0.0', '192.168.255.255' ), # "
97 array( '0.0.0.0', '0.255.255.255' ), # this network
98 array( '127.0.0.0', '127.255.255.255' ), # loopback
99 );
100 }
101
102 foreach ( $privateRanges as $r ) {
103 $start = wfIP2Unsigned( $r[0] );
104 $end = wfIP2Unsigned( $r[1] );
105 if ( $n >= $start && $n <= $end ) {
106 return false;
107 }
108 }
109 return true;
110 }
111
112 /**
113 * Forks processes to scan the originating IP for an open proxy server
114 * MemCached can be used to skip IPs that have already been scanned
115 */
116 function wfProxyCheck() {
117 global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath;
118 global $wgUseMemCached, $wgMemc, $wgDBname, $wgProxyMemcExpiry;
119
120 if ( !$wgBlockOpenProxies ) {
121 return;
122 }
123
124 $ip = wfGetIP();
125
126 # Get MemCached key
127 $skip = false;
128 if ( $wgUseMemCached ) {
129 $mcKey = "$wgDBname:proxy:ip:$ip";
130 $mcValue = $wgMemc->get( $mcKey );
131 if ( $mcValue ) {
132 $skip = true;
133 }
134 }
135
136 # Fork the processes
137 if ( !$skip ) {
138 $title = Title::makeTitle( NS_SPECIAL, 'Blockme' );
139 $iphash = md5( $ip . $wgProxyKey );
140 $url = $title->getFullURL( 'ip='.$iphash );
141
142 foreach ( $wgProxyPorts as $port ) {
143 $params = implode( ' ', array(
144 escapeshellarg( $wgProxyScriptPath ),
145 escapeshellarg( $ip ),
146 escapeshellarg( $port ),
147 escapeshellarg( $url )
148 ));
149 exec( "php $params &>/dev/null &" );
150 }
151 # Set MemCached key
152 if ( $wgUseMemCached ) {
153 $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry );
154 }
155 }
156 }
157
158 /**
159 * Convert a network specification in CIDR notation to an integer network and a number of bits
160 */
161 function wfParseCIDR( $range ) {
162 $parts = explode( '/', $range, 2 );
163 if ( count( $parts ) != 2 ) {
164 return array( false, false );
165 }
166 $network = wfIP2Unsigned( $parts[0] );
167 if ( $network !== false && is_numeric( $parts[1] ) && $parts[1] >= 0 && $parts[1] <= 32 ) {
168 $bits = $parts[1];
169 } else {
170 $network = false;
171 $bits = false;
172 }
173 return array( $network, $bits );
174 }
175
176 /**
177 * Check if an IP address is in the local proxy list
178 */
179 function wfIsLocallyBlockedProxy( $ip ) {
180 global $wgProxyList;
181 $fname = 'wfIsLocallyBlockedProxy';
182
183 if ( !$wgProxyList ) {
184 return false;
185 }
186 wfProfileIn( $fname );
187
188 if ( !is_array( $wgProxyList ) ) {
189 # Load from the specified file
190 $wgProxyList = array_map( 'trim', file( $wgProxyList ) );
191 }
192
193 if ( !is_array( $wgProxyList ) ) {
194 $ret = false;
195 } elseif ( array_search( $ip, $wgProxyList ) !== false ) {
196 $ret = true;
197 } elseif ( array_key_exists( $ip, $wgProxyList ) ) {
198 # Old-style flipped proxy list
199 $ret = true;
200 } else {
201 $ret = false;
202 }
203 wfProfileOut( $fname );
204 return $ret;
205 }
206
207
208
209
210 ?>
Wiklou, le Wiki du Wiklou