includes/ProxyTools.php

   1 <?php
   2 /**
   3  * Functions for dealing with proxies
   4  */
   5
   6 /**
   7  * Extracts the XFF string from the request header
   8  * Checks first for "X-Forwarded-For", then "Client-ip"
   9  * Note: headers are spoofable
  10  * @return string
  11  */
  12 function wfGetForwardedFor() {
  13         if( function_exists( 'apache_request_headers' ) ) {
  14                 // More reliable than $_SERVER due to case and -/_ folding
  15                 $set = array ();
  16                 foreach ( apache_request_headers() as $tempName => $tempValue ) {
  17                         $set[ strtoupper( $tempName ) ] = $tempValue;
  18                 }
  19                 $index = strtoupper ( 'X-Forwarded-For' );
  20                 $index2 = strtoupper ( 'Client-ip' );
  21         } else {
  22                 // Subject to spoofing with headers like X_Forwarded_For
  23                 $set = $_SERVER;
  24                 $index = 'HTTP_X_FORWARDED_FOR';
  25                 $index2 = 'CLIENT-IP';
  26         }
  27
  28         #Try a couple of headers
  29         if( isset( $set[$index] ) ) {
  30                 return $set[$index];
  31         } else if( isset( $set[$index2] ) ) {
  32                 return $set[$index2];
  33         } else {
  34                 return null;
  35         }
  36 }
  37
  38 /**
  39  * Returns the browser/OS data from the request header
  40  * Note: headers are spoofable
  41  * @return string
  42  */
  43 function wfGetAgent() {
  44         if( function_exists( 'apache_request_headers' ) ) {
  45                 // More reliable than $_SERVER due to case and -/_ folding
  46                 $set = array ();
  47                 foreach ( apache_request_headers() as $tempName => $tempValue ) {
  48                         $set[ strtoupper( $tempName ) ] = $tempValue;
  49                 }
  50                 $index = strtoupper ( 'User-Agent' );
  51         } else {
  52                 // Subject to spoofing with headers like X_Forwarded_For
  53                 $set = $_SERVER;
  54                 $index = 'HTTP_USER_AGENT';
  55         }
  56         if( isset( $set[$index] ) ) {
  57                 return $set[$index];
  58         } else {
  59                 return '';
  60         }
  61 }
  62
  63 /**
  64  * Work out the IP address based on various globals
  65  * For trusted proxies, use the XFF client IP (first of the chain)
  66  * @return string
  67  */
  68 function wfGetIP() {
  69         global $wgIP;
  70
  71         # Return cached result
  72         if ( !empty( $wgIP ) ) {
  73                 return $wgIP;
  74         }
  75
  76         /* collect the originating ips */
  77         # Client connecting to this webserver
  78         if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
  79                 $ipchain = array( IP::canonicalize( $_SERVER['REMOTE_ADDR'] ) );
  80         } else {
  81                 # Running on CLI?
  82                 $ipchain = array( '127.0.0.1' );
  83         }
  84         $ip = $ipchain[0];
  85
  86         # Append XFF on to $ipchain
  87         $forwardedFor = wfGetForwardedFor();
  88         if ( isset( $forwardedFor ) ) {
  89                 $xff = array_map( 'trim', explode( ',', $forwardedFor ) );
  90                 $xff = array_reverse( $xff );
  91                 $ipchain = array_merge( $ipchain, $xff );
  92         }
  93
  94         # Step through XFF list and find the last address in the list which is a trusted server
  95         # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private)
  96         foreach ( $ipchain as $i => $curIP ) {
  97                 $curIP = IP::canonicalize( $curIP );
  98                 if ( wfIsTrustedProxy( $curIP ) ) {
  99                         if ( isset( $ipchain[$i + 1] ) && IP::isPublic( $ipchain[$i + 1] ) ) {
 100                                 $ip = $ipchain[$i + 1];
 101                         }
 102                 } else {
 103                         break;
 104                 }
 105         }
 106
 107         wfDebug( "IP: $ip\n" );
 108         $wgIP = $ip;
 109         return $ip;
 110 }
 111
 112 /**
 113  * Checks if an IP is a trusted proxy providor
 114  * Useful to tell if X-Fowarded-For data is possibly bogus
 115  * Squid cache servers for the site and AOL are whitelisted
 116  * @param string $ip
 117  * @return bool
 118  */
 119 function wfIsTrustedProxy( $ip ) {
 120         global $wgSquidServers, $wgSquidServersNoPurge;
 121
 122         if ( in_array( $ip, $wgSquidServers ) ||
 123                 in_array( $ip, $wgSquidServersNoPurge ) ||
 124                 wfIsAOLProxy( $ip )
 125         ) {
 126                 $trusted = true;
 127         } else {
 128                 $trusted = false;
 129         }
 130         wfRunHooks( 'IsTrustedProxy', array( &$ip, &$trusted ) );
 131         return $trusted;
 132 }
 133
 134 /**
 135  * Forks processes to scan the originating IP for an open proxy server
 136  * MemCached can be used to skip IPs that have already been scanned
 137  */
 138 function wfProxyCheck() {
 139         global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath;
 140         global $wgMemc, $wgProxyMemcExpiry;
 141         global $wgProxyKey;
 142
 143         if ( !$wgBlockOpenProxies ) {
 144                 return;
 145         }
 146
 147         $ip = wfGetIP();
 148
 149         # Get MemCached key
 150         $mcKey = wfMemcKey( 'proxy', 'ip', $ip );
 151         $mcValue = $wgMemc->get( $mcKey );
 152         $skip = (bool)$mcValue;
 153
 154         # Fork the processes
 155         if ( !$skip ) {
 156                 $title = SpecialPage::getTitleFor( 'Blockme' );
 157                 $iphash = md5( $ip . $wgProxyKey );
 158                 $url = $title->getFullURL( 'ip='.$iphash );
 159
 160                 foreach ( $wgProxyPorts as $port ) {
 161                         $params = implode( ' ', array(
 162                                                 escapeshellarg( $wgProxyScriptPath ),
 163                                                 escapeshellarg( $ip ),
 164                                                 escapeshellarg( $port ),
 165                                                 escapeshellarg( $url )
 166                                                 ));
 167                         exec( "php $params &>/dev/null &" );
 168                 }
 169                 # Set MemCached key
 170                 $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry );
 171         }
 172 }
 173
 174 /**
 175  * Convert a network specification in CIDR notation to an integer network and a number of bits
 176  * @return array(string, int)
 177  */
 178 function wfParseCIDR( $range ) {
 179         return IP::parseCIDR( $range );
 180 }
 181
 182 /**
 183  * Check if an IP address is in the local proxy list
 184  * @return bool
 185  */
 186 function wfIsLocallyBlockedProxy( $ip ) {
 187         global $wgProxyList;
 188         $fname = 'wfIsLocallyBlockedProxy';
 189
 190         if ( !$wgProxyList ) {
 191                 return false;
 192         }
 193         wfProfileIn( $fname );
 194
 195         if ( !is_array( $wgProxyList ) ) {
 196                 # Load from the specified file
 197                 $wgProxyList = array_map( 'trim', file( $wgProxyList ) );
 198         }
 199
 200         if ( !is_array( $wgProxyList ) ) {
 201                 $ret = false;
 202         } elseif ( array_search( $ip, $wgProxyList ) !== false ) {
 203                 $ret = true;
 204         } elseif ( array_key_exists( $ip, $wgProxyList ) ) {
 205                 # Old-style flipped proxy list
 206                 $ret = true;
 207         } else {
 208                 $ret = false;
 209         }
 210         wfProfileOut( $fname );
 211         return $ret;
 212 }
 213
 214 /**
 215  * TODO: move this list to the database in a global IP info table incorporating
 216  * trusted ISP proxies, blocked IP addresses and open proxies.
 217  * @return bool
 218  */
 219 function wfIsAOLProxy( $ip ) {
 220         $ranges = array(
 221                 '64.12.96.0/19',
 222                 '149.174.160.0/20',
 223                 '152.163.240.0/21',
 224                 '152.163.248.0/22',
 225                 '152.163.252.0/23',
 226                 '152.163.96.0/22',
 227                 '152.163.100.0/23',
 228                 '195.93.32.0/22',
 229                 '195.93.48.0/22',
 230                 '195.93.64.0/19',
 231                 '195.93.96.0/19',
 232                 '195.93.16.0/20',
 233                 '198.81.0.0/22',
 234                 '198.81.16.0/20',
 235                 '198.81.8.0/23',
 236                 '202.67.64.128/25',
 237                 '205.188.192.0/20',
 238                 '205.188.208.0/23',
 239                 '205.188.112.0/20',
 240                 '205.188.146.144/30',
 241                 '207.200.112.0/21',
 242         );
 243
 244         static $parsedRanges;
 245         if ( is_null( $parsedRanges ) ) {
 246                 $parsedRanges = array();
 247                 foreach ( $ranges as $range ) {
 248                         $parsedRanges[] =  IP::parseRange( $range );
 249                 }
 250         }
 251
 252         $hex = IP::toHex( $ip );
 253         foreach ( $parsedRanges as $range ) {
 254                 if ( $hex >= $range[0] && $hex <= $range[1] ) {
 255                         return true;
 256                 }
 257         }
 258         return false;
 259 }