X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FProxyTools.php;h=771fd5779664db0a99b45f16c5896acd61bf2b69;hb=9c891c3274120e13666f1285a77ef11857598e4f;hp=24108aaef63f1b7cd65ee4735f7121d1614b35dd;hpb=9260c3b7cadbc74f097307f49ce389d71ebe6d92;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index 24108aaef6..771fd57796 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -1,16 +1,73 @@ $tempValue ) { + $set[ strtoupper( $tempName ) ] = $tempValue; + } + $index = strtoupper ( 'X-Forwarded-For' ); + $index2 = strtoupper ( 'Client-ip' ); + } else { + // Subject to spoofing with headers like X_Forwarded_For + $set = $_SERVER; + $index = 'HTTP_X_FORWARDED_FOR'; + $index2 = 'CLIENT-IP'; + } + + #Try a couple of headers + if( isset( $set[$index] ) ) { + return $set[$index]; + } else if( isset( $set[$index2] ) ) { + return $set[$index2]; + } else { + return null; + } +} + +/** + * Returns the browser/OS data from the request header + * Note: headers are spoofable + * @return string + */ +function wfGetAgent() { + if( function_exists( 'apache_request_headers' ) ) { + // More reliable than $_SERVER due to case and -/_ folding + $set = array (); + foreach ( apache_request_headers() as $tempName => $tempValue ) { + $set[ strtoupper( $tempName ) ] = $tempValue; + } + $index = strtoupper ( 'User-Agent' ); + } else { + // Subject to spoofing with headers like X_Forwarded_For + $set = $_SERVER; + $index = 'HTTP_USER_AGENT'; + } + if( isset( $set[$index] ) ) { + return $set[$index]; + } else { + return ''; + } } -/** Work out the IP address based on various globals */ +/** + * Work out the IP address based on various globals + * For trusted proxies, use the XFF client IP (first of the chain) + * @return string + */ function wfGetIP() { - global $wgSquidServers, $wgSquidServersNoPurge, $wgIP; + global $wgIP, $wgUsePrivateIPs; # Return cached result if ( !empty( $wgIP ) ) { @@ -20,33 +77,33 @@ function wfGetIP() { /* collect the originating ips */ # Client connecting to this webserver if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { - $ipchain = array( $_SERVER['REMOTE_ADDR'] ); + $ipchain = array( IP::canonicalize( $_SERVER['REMOTE_ADDR'] ) ); } else { # Running on CLI? $ipchain = array( '127.0.0.1' ); } $ip = $ipchain[0]; - # Get list of trusted proxies - # Flipped for quicker access - $trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) ); - if ( count( $trustedProxies ) ) { - # Append XFF on to $ipchain - if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { - $xff = array_map( 'trim', explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ) ); - $xff = array_reverse( $xff ); - $ipchain = array_merge( $ipchain, $xff ); - } - # Step through XFF list and find the last address in the list which is a trusted server - # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private) - foreach ( $ipchain as $i => $curIP ) { - if ( array_key_exists( $curIP, $trustedProxies ) ) { - if ( isset( $ipchain[$i + 1] ) && wfIsIPPublic( $ipchain[$i + 1] ) ) { + # Append XFF on to $ipchain + $forwardedFor = wfGetForwardedFor(); + if ( isset( $forwardedFor ) ) { + $xff = array_map( 'trim', explode( ',', $forwardedFor ) ); + $xff = array_reverse( $xff ); + $ipchain = array_merge( $ipchain, $xff ); + } + + # Step through XFF list and find the last address in the list which is a trusted server + # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private) + foreach ( $ipchain as $i => $curIP ) { + $curIP = IP::canonicalize( $curIP ); + if ( wfIsTrustedProxy( $curIP ) ) { + if ( isset( $ipchain[$i + 1] ) ) { + if( $wgUsePrivateIPs || IP::isPublic( $ipchain[$i + 1 ] ) ) { $ip = $ipchain[$i + 1]; } - } else { - break; } + } else { + break; } } @@ -55,46 +112,25 @@ function wfGetIP() { return $ip; } -/** */ -function wfIP2Unsigned( $ip ) { - $n = ip2long( $ip ); - if ( $n == -1 ) { - $n = false; - } elseif ( $n < 0 ) { - $n += pow( 2, 32 ); - } - return $n; -} - /** - * Determine if an IP address really is an IP address, and if it is public, - * i.e. not RFC 1918 or similar + * Checks if an IP is a trusted proxy providor + * Useful to tell if X-Fowarded-For data is possibly bogus + * Squid cache servers for the site and AOL are whitelisted + * @param string $ip + * @return bool */ -function wfIsIPPublic( $ip ) { - $n = wfIP2Unsigned( $ip ); - if ( !$n ) { - return false; - } - - static $privateRanges = false; - if ( !$privateRanges ) { - $privateRanges = array( - array( '10.0.0.0', '10.255.255.255' ), # RFC 1918 (private) - array( '172.16.0.0', '172.31.255.255' ), # " - array( '192.168.0.0', '192.168.255.255' ), # " - array( '0.0.0.0', '0.255.255.255' ), # this network - array( '127.0.0.0', '127.255.255.255' ), # loopback - ); - } +function wfIsTrustedProxy( $ip ) { + global $wgSquidServers, $wgSquidServersNoPurge; - foreach ( $privateRanges as $r ) { - $start = wfIP2Unsigned( $r[0] ); - $end = wfIP2Unsigned( $r[1] ); - if ( $n >= $start && $n <= $end ) { - return false; - } + if ( in_array( $ip, $wgSquidServers ) || + in_array( $ip, $wgSquidServersNoPurge ) + ) { + $trusted = true; + } else { + $trusted = false; } - return true; + wfRunHooks( 'IsTrustedProxy', array( &$ip, &$trusted ) ); + return $trusted; } /** @@ -103,27 +139,23 @@ function wfIsIPPublic( $ip ) { */ function wfProxyCheck() { global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath; - global $wgUseMemCached, $wgMemc, $wgDBname, $wgProxyMemcExpiry; + global $wgMemc, $wgProxyMemcExpiry; + global $wgProxyKey; if ( !$wgBlockOpenProxies ) { return; } $ip = wfGetIP(); - + # Get MemCached key - $skip = false; - if ( $wgUseMemCached ) { - $mcKey = "$wgDBname:proxy:ip:$ip"; - $mcValue = $wgMemc->get( $mcKey ); - if ( $mcValue ) { - $skip = true; - } - } + $mcKey = wfMemcKey( 'proxy', 'ip', $ip ); + $mcValue = $wgMemc->get( $mcKey ); + $skip = (bool)$mcValue; # Fork the processes if ( !$skip ) { - $title = Title::makeTitle( NS_SPECIAL, 'Blockme' ); + $title = SpecialPage::getTitleFor( 'Blockme' ); $iphash = md5( $ip . $wgProxyKey ); $url = $title->getFullURL( 'ip='.$iphash ); @@ -137,10 +169,47 @@ function wfProxyCheck() { exec( "php $params &>/dev/null &" ); } # Set MemCached key - if ( $wgUseMemCached ) { - $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry ); - } + $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry ); + } +} + +/** + * Convert a network specification in CIDR notation to an integer network and a number of bits + * @return array(string, int) + */ +function wfParseCIDR( $range ) { + return IP::parseCIDR( $range ); +} + +/** + * Check if an IP address is in the local proxy list + * @return bool + */ +function wfIsLocallyBlockedProxy( $ip ) { + global $wgProxyList; + $fname = 'wfIsLocallyBlockedProxy'; + + if ( !$wgProxyList ) { + return false; + } + wfProfileIn( $fname ); + + if ( !is_array( $wgProxyList ) ) { + # Load from the specified file + $wgProxyList = array_map( 'trim', file( $wgProxyList ) ); + } + + if ( !is_array( $wgProxyList ) ) { + $ret = false; + } elseif ( array_search( $ip, $wgProxyList ) !== false ) { + $ret = true; + } elseif ( array_key_exists( $ip, $wgProxyList ) ) { + # Old-style flipped proxy list + $ret = true; + } else { + $ret = false; } + wfProfileOut( $fname ); + return $ret; } -?>