Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/ProxyTools.php

172 lines
4.1 KiB
PHP
Raw Normal View History

Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
<?php
/**
* Functions for dealing with proxies
fix some issues with phpdoc
2005-07-05 21:22:25 +00:00
* @package MediaWiki
Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
*/
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
function wfGetForwardedFor() {
if( function_exists( 'apache_request_headers' ) ) {
// More reliable than $_SERVER due to case and -/_ folding
$set = apache_request_headers();
$index = 'X-Forwarded-For';
} else {
// Subject to spoofing with headers like X_Forwarded_For
$set = $_SERVER;
$index = 'HTTP_X_FORWARDED_FOR';
* Protect against spoofing of X-Forwarded-For header
2006-01-07 21:44:10 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
if( isset( $set[$index] ) ) {
return $set[$index];
} else {
return null;
}
}
* Protect against spoofing of X-Forwarded-For header
2006-01-07 21:44:10 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
/** Work out the IP address based on various globals */
function wfGetIP() {
global $wgSquidServers, $wgSquidServersNoPurge, $wgIP;
Deferred initialisation of $wgIP, because it's potentially slow, especially if and when we add the 200 NTL proxies to the trusted XFF list. I was hoping to avoid initialisation altogether for anonymous page views, but that turns out to be difficult because of user_newtalk. It is, however, avoided for action=raw. Tested page view, newtalk, IP registration in history and recentchanges, IP block, autoblock and Special:Version. Also moved the old proxy scan code from EditPage.php to a more appropriate location in ProxyTools.php.
2005-09-05 02:22:20 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
# Return cached result
if ( !empty( $wgIP ) ) {
return $wgIP;
}
Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
/* collect the originating ips */
# Client connecting to this webserver
if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
$ipchain = array( $_SERVER['REMOTE_ADDR'] );
} else {
# Running on CLI?
$ipchain = array( '127.0.0.1' );
}
$ip = $ipchain[0];
# Get list of trusted proxies
# Flipped for quicker access
$trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) );
if ( count( $trustedProxies ) ) {
# Append XFF on to $ipchain
$forwardedFor = wfGetForwardedFor();
if ( isset( $forwardedFor ) ) {
$xff = array_map( 'trim', explode( ',', $forwardedFor ) );
$xff = array_reverse( $xff );
$ipchain = array_merge( $ipchain, $xff );
}
# Step through XFF list and find the last address in the list which is a trusted server
# Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private)
foreach ( $ipchain as $i => $curIP ) {
if ( array_key_exists( $curIP, $trustedProxies ) ) {
Deferred loading of DateFormatter.php and IP.php. Standardised IP.php function naming style.
2006-07-14 17:02:49 +00:00
if ( isset( $ipchain[$i + 1] ) && IP::isPublic( $ipchain[$i + 1] ) ) {
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
$ip = $ipchain[$i + 1];
Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
} else {
break;
Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
}
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
}
Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
wfDebug( "IP: $ip\n" );
$wgIP = $ip;
return $ip;
}
/**
* Forks processes to scan the originating IP for an open proxy server
* MemCached can be used to skip IPs that have already been scanned
*/
function wfProxyCheck() {
global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath;
global $wgUseMemCached, $wgMemc, $wgDBname, $wgProxyMemcExpiry;
global $wgProxyKey;
* s~\t+$~~
2006-01-07 13:31:29 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
if ( !$wgBlockOpenProxies ) {
return;
}
Deferred initialisation of $wgIP, because it's potentially slow, especially if and when we add the 200 NTL proxies to the trusted XFF list. I was hoping to avoid initialisation altogether for anonymous page views, but that turns out to be difficult because of user_newtalk. It is, however, avoided for action=raw. Tested page view, newtalk, IP registration in history and recentchanges, IP block, autoblock and Special:Version. Also moved the old proxy scan code from EditPage.php to a more appropriate location in ProxyTools.php.
2005-09-05 02:22:20 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
$ip = wfGetIP();
Use AutoLoader to load classes: * remove require_once() throughout whole code, yet left in few places * move global functions in HttpUtils, ProxyTools, Credits to class methods * php5 only: __autoload() now used, combined with class->file map and require() * move initialization of $wgValidSkinNames to Skin::getSkinNames() * few more changes that will surely break stuff.
2006-06-01 07:22:49 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
# Get MemCached key
$skip = false;
if ( $wgUseMemCached ) {
$mcKey = "$wgDBname:proxy:ip:$ip";
$mcValue = $wgMemc->get( $mcKey );
if ( $mcValue ) {
$skip = true;
Deferred initialisation of $wgIP, because it's potentially slow, especially if and when we add the 200 NTL proxies to the trusted XFF list. I was hoping to avoid initialisation altogether for anonymous page views, but that turns out to be difficult because of user_newtalk. It is, however, avoided for action=raw. Tested page view, newtalk, IP registration in history and recentchanges, IP block, autoblock and Special:Version. Also moved the old proxy scan code from EditPage.php to a more appropriate location in ProxyTools.php.
2005-09-05 02:22:20 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
}
Deferred initialisation of $wgIP, because it's potentially slow, especially if and when we add the 200 NTL proxies to the trusted XFF list. I was hoping to avoid initialisation altogether for anonymous page views, but that turns out to be difficult because of user_newtalk. It is, however, avoided for action=raw. Tested page view, newtalk, IP registration in history and recentchanges, IP block, autoblock and Special:Version. Also moved the old proxy scan code from EditPage.php to a more appropriate location in ProxyTools.php.
2005-09-05 02:22:20 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
# Fork the processes
if ( !$skip ) {
$title = Title::makeTitle( NS_SPECIAL, 'Blockme' );
$iphash = md5( $ip . $wgProxyKey );
$url = $title->getFullURL( 'ip='.$iphash );
foreach ( $wgProxyPorts as $port ) {
$params = implode( ' ', array(
escapeshellarg( $wgProxyScriptPath ),
escapeshellarg( $ip ),
escapeshellarg( $port ),
escapeshellarg( $url )
));
exec( "php $params &>/dev/null &" );
}
# Set MemCached key
if ( $wgUseMemCached ) {
$wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry );
Use AutoLoader to load classes: * remove require_once() throughout whole code, yet left in few places * move global functions in HttpUtils, ProxyTools, Credits to class methods * php5 only: __autoload() now used, combined with class->file map and require() * move initialization of $wgValidSkinNames to Skin::getSkinNames() * few more changes that will surely break stuff.
2006-06-01 07:22:49 +00:00
}
Faster IP blocks. Requires schema change.
2005-12-01 10:37:47 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
}
Use AutoLoader to load classes: * remove require_once() throughout whole code, yet left in few places * move global functions in HttpUtils, ProxyTools, Credits to class methods * php5 only: __autoload() now used, combined with class->file map and require() * move initialization of $wgValidSkinNames to Skin::getSkinNames() * few more changes that will surely break stuff.
2006-06-01 07:22:49 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
/**
* Convert a network specification in CIDR notation to an integer network and a number of bits
*/
function wfParseCIDR( $range ) {
$parts = explode( '/', $range, 2 );
if ( count( $parts ) != 2 ) {
return array( false, false );
}
Deferred loading of DateFormatter.php and IP.php. Standardised IP.php function naming style.
2006-07-14 17:02:49 +00:00
$network = IP::toUnsigned( $parts[0] );
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
if ( $network !== false && is_numeric( $parts[1] ) && $parts[1] >= 0 && $parts[1] <= 32 ) {
$bits = $parts[1];
} else {
$network = false;
$bits = false;
Faster IP blocks. Requires schema change.
2005-12-01 10:37:47 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
return array( $network, $bits );
}
Faster IP blocks. Requires schema change.
2005-12-01 10:37:47 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
/**
* Check if an IP address is in the local proxy list
*/
function wfIsLocallyBlockedProxy( $ip ) {
global $wgProxyList;
$fname = 'wfIsLocallyBlockedProxy';
* s~\t+$~~
2006-01-07 13:31:29 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
if ( !$wgProxyList ) {
return false;
}
wfProfileIn( $fname );
* s~\t+$~~
2006-01-07 13:31:29 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
if ( !is_array( $wgProxyList ) ) {
# Load from the specified file
$wgProxyList = array_map( 'trim', file( $wgProxyList ) );
}
* s~\t+$~~
2006-01-07 13:31:29 +00:00
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
if ( !is_array( $wgProxyList ) ) {
$ret = false;
} elseif ( array_search( $ip, $wgProxyList ) !== false ) {
$ret = true;
} elseif ( array_key_exists( $ip, $wgProxyList ) ) {
# Old-style flipped proxy list
$ret = true;
} else {
$ret = false;
Lazy initialisation of wgProxyList, no flip required
2005-12-06 13:24:47 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
wfProfileOut( $fname );
return $ret;
Lazy initialisation of wgProxyList, no flip required
2005-12-06 13:24:47 +00:00
}
Revert to r14512; domas introduced massive breakage with incomplete experimental changes. They will be recommitted when they work. :)
2006-06-01 08:19:02 +00:00
Adding some validation for IP determination via XFF headers, in preparation for adding ISP proxies to the trusted proxy list, which may occasionally give invalid XFF headers
2005-03-31 09:10:25 +00:00
?>
Reference in a new issue Copy permalink