X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FProxyTools.php;h=aa4ce44041015a4097a37c287153248e58668982;hb=557a05f3843c486e79e01da32c1baa397a352c9a;hp=cc0d340bca08baa7abe4733bb77d8501c79c4c8f;hpb=569fa7cf8b1f8eb4187f73ee2ff89c3712c2fa1c;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index cc0d340bca..aa4ce44041 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -1,161 +1,100 @@ getHeader( 'X-Forwarded-For' ) instead. + * @return string + */ function wfGetForwardedFor() { - if( function_exists( 'apache_request_headers' ) ) { - // More reliable than $_SERVER due to case and -/_ folding - $set = apache_request_headers(); - $index = 'X-Forwarded-For'; - $index2 = 'Client-ip'; - } else { - // Subject to spoofing with headers like X_Forwarded_For - $set = $_SERVER; - $index = 'HTTP_X_FORWARDED_FOR'; - $index2 = 'CLIENT-IP'; - } - #Try a couple of headers - if( isset( $set[$index] ) ) { - return $set[$index]; - } else if( isset( $set[$index2] ) ) { - return $set[$index2]; - } else { - return null; - } -} - -function wfGetLastIPfromXFF( $xff ) -{ - if ( $xff ) { - // Avoid annoyingly long xff hacks - $xff = substr( $xff, 0, 255 ); - // Look for the last IP, assuming they are separated by commas - $n = strrpos( $xff, ',' ); - if ( strrpos !== false ) { - $last = substr( $xff, $n + 1 ); - // Make sure it is an IP - $m = preg_match('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#', $last, $last_ip); - if ( $m > 0 ) - $xff_ip = $last_ip; - else - $xff_ip = null; - } else { - $xff_ip = null; - } - } else { - $xff_ip = null; - } - return $xff_ip; + wfDeprecated( __METHOD__, '1.19' ); + global $wgRequest; + return $wgRequest->getHeader( 'X-Forwarded-For' ); } +/** + * Returns the browser/OS data from the request header + * Note: headers are spoofable + * + * @deprecated in 1.18; use $wgRequest->getHeader( 'User-Agent' ) instead. + * @return string + */ function wfGetAgent() { - if( function_exists( 'apache_request_headers' ) ) { - // More reliable than $_SERVER due to case and -/_ folding - $set = apache_request_headers(); - $index = 'User-Agent'; - } else { - // Subject to spoofing with headers like X_Forwarded_For - $set = $_SERVER; - $index = 'HTTP_USER_AGENT'; - } - if( isset( $set[$index] ) ) { - return $set[$index]; - } else { - return ''; - } + wfDeprecated( __METHOD__, '1.18' ); + global $wgRequest; + return $wgRequest->getHeader( 'User-Agent' ); } -/** Work out the IP address based on various globals */ +/** + * Work out the IP address based on various globals + * For trusted proxies, use the XFF client IP (first of the chain) + * + * @deprecated in 1.19; call $wgRequest->getIP() directly. + * @return string + */ function wfGetIP() { - global $wgIP; - - # Return cached result - if ( !empty( $wgIP ) ) { - return $wgIP; - } - - /* collect the originating ips */ - # Client connecting to this webserver - if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { - $ipchain = array( IP::canonicalize( $_SERVER['REMOTE_ADDR'] ) ); - } else { - # Running on CLI? - $ipchain = array( '127.0.0.1' ); - } - $ip = $ipchain[0]; - - # Append XFF on to $ipchain - $forwardedFor = wfGetForwardedFor(); - if ( isset( $forwardedFor ) ) { - $xff = array_map( 'trim', explode( ',', $forwardedFor ) ); - $xff = array_reverse( $xff ); - $ipchain = array_merge( $ipchain, $xff ); - } - - # Step through XFF list and find the last address in the list which is a trusted server - # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private) - foreach ( $ipchain as $i => $curIP ) { - $curIP = IP::canonicalize( $curIP ); - if ( wfIsTrustedProxy( $curIP ) ) { - if ( isset( $ipchain[$i + 1] ) && IP::isPublic( $ipchain[$i + 1] ) ) { - $ip = $ipchain[$i + 1]; - } - } else { - break; - } - } - - wfDebug( "IP: $ip\n" ); - $wgIP = $ip; - return $ip; + wfDeprecated( __METHOD__, '1.19' ); + global $wgRequest; + return $wgRequest->getIP(); } +/** + * Checks if an IP is a trusted proxy providor. + * Useful to tell if X-Fowarded-For data is possibly bogus. + * Squid cache servers for the site are whitelisted. + * + * @param $ip String + * @return bool + */ function wfIsTrustedProxy( $ip ) { - global $wgSquidServers, $wgSquidServersNoPurge; - - if ( in_array( $ip, $wgSquidServers ) || - in_array( $ip, $wgSquidServersNoPurge ) || - wfIsAOLProxy( $ip ) - ) { - $trusted = true; - } else { - $trusted = false; - } + $trusted = wfIsConfiguredProxy( $ip ); wfRunHooks( 'IsTrustedProxy', array( &$ip, &$trusted ) ); return $trusted; } +/** + * Checks if an IP matches a proxy we've configured. + * @param $ip String + * @return bool + */ +function wfIsConfiguredProxy( $ip ) { + global $wgSquidServers, $wgSquidServersNoPurge; + $trusted = in_array( $ip, $wgSquidServers ) || + in_array( $ip, $wgSquidServersNoPurge ); + return $trusted; +} + /** * Forks processes to scan the originating IP for an open proxy server * MemCached can be used to skip IPs that have already been scanned */ function wfProxyCheck() { global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath; - global $wgUseMemCached, $wgMemc, $wgProxyMemcExpiry; + global $wgMemc, $wgProxyMemcExpiry, $wgRequest; global $wgProxyKey; if ( !$wgBlockOpenProxies ) { return; } - $ip = wfGetIP(); + $ip = $wgRequest->getIP(); # Get MemCached key - $skip = false; - if ( $wgUseMemCached ) { - $mcKey = wfMemcKey( 'proxy', 'ip', $ip ); - $mcValue = $wgMemc->get( $mcKey ); - if ( $mcValue ) { - $skip = true; - } - } + $mcKey = wfMemcKey( 'proxy', 'ip', $ip ); + $mcValue = $wgMemc->get( $mcKey ); + $skip = (bool)$mcValue; # Fork the processes if ( !$skip ) { $title = SpecialPage::getTitleFor( 'Blockme' ); $iphash = md5( $ip . $wgProxyKey ); - $url = $title->getFullURL( 'ip='.$iphash ); + $url = wfExpandUrl( $title->getFullURL( 'ip='.$iphash ), PROTO_HTTP ); foreach ( $wgProxyPorts as $port ) { $params = implode( ' ', array( @@ -164,99 +103,9 @@ function wfProxyCheck() { escapeshellarg( $port ), escapeshellarg( $url ) )); - exec( "php $params &>/dev/null &" ); + exec( "php $params >" . wfGetNull() . " 2>&1 &" ); } # Set MemCached key - if ( $wgUseMemCached ) { - $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry ); - } + $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry ); } } - -/** - * Convert a network specification in CIDR notation to an integer network and a number of bits - */ -function wfParseCIDR( $range ) { - return IP::parseCIDR( $range ); -} - -/** - * Check if an IP address is in the local proxy list - */ -function wfIsLocallyBlockedProxy( $ip ) { - global $wgProxyList; - $fname = 'wfIsLocallyBlockedProxy'; - - if ( !$wgProxyList ) { - return false; - } - wfProfileIn( $fname ); - - if ( !is_array( $wgProxyList ) ) { - # Load from the specified file - $wgProxyList = array_map( 'trim', file( $wgProxyList ) ); - } - - if ( !is_array( $wgProxyList ) ) { - $ret = false; - } elseif ( array_search( $ip, $wgProxyList ) !== false ) { - $ret = true; - } elseif ( array_key_exists( $ip, $wgProxyList ) ) { - # Old-style flipped proxy list - $ret = true; - } else { - $ret = false; - } - wfProfileOut( $fname ); - return $ret; -} - -/** - * TODO: move this list to the database in a global IP info table incorporating - * trusted ISP proxies, blocked IP addresses and open proxies. - */ -function wfIsAOLProxy( $ip ) { - $ranges = array( - '64.12.96.0/19', - '149.174.160.0/20', - '152.163.240.0/21', - '152.163.248.0/22', - '152.163.252.0/23', - '152.163.96.0/22', - '152.163.100.0/23', - '195.93.32.0/22', - '195.93.48.0/22', - '195.93.64.0/19', - '195.93.96.0/19', - '195.93.16.0/20', - '198.81.0.0/22', - '198.81.16.0/20', - '198.81.8.0/23', - '202.67.64.128/25', - '205.188.192.0/20', - '205.188.208.0/23', - '205.188.112.0/20', - '205.188.146.144/30', - '207.200.112.0/21', - ); - - static $parsedRanges; - if ( is_null( $parsedRanges ) ) { - $parsedRanges = array(); - foreach ( $ranges as $range ) { - $parsedRanges[] = IP::parseRange( $range ); - } - } - - $hex = IP::toHex( $ip ); - foreach ( $parsedRanges as $range ) { - if ( $hex >= $range[0] && $hex <= $range[1] ) { - return true; - } - } - return false; -} - - - -?>