From: Bryan Davis Date: Thu, 7 Nov 2013 19:59:13 +0000 (-0700) Subject: Support CIDR ranges in $wgSquidServersNoPurge X-Git-Tag: 1.31.0-rc.0~18220^2 X-Git-Url: http://git.cyclocoop.org/%24image?a=commitdiff_plain;h=f111b2687c894bd744f53edff4ae049ddb48c59a;p=lhc%2Fweb%2Fwiklou.git Support CIDR ranges in $wgSquidServersNoPurge Use IP::isInRange() in wfIsConfiguredProxy() to allow matching against CIDR entries in $wgSquidServersNoPurge. This will allow maintainers of large networks to whitelist contiguous blocks of IPv4 and/or IPv6 addresses as trusted X-Forwarded-For providers. This change also makes a small change to WebRequestTest::testGetIpLackOfRemoteAddrThrowAnException() which was failing under some configurations due to non-default globals configuration. Bug: 52829 Change-Id: I49e34bdf13e8e8c6cd169c362c283fe1034bdc6d --- diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23 index 04be2a241e..7cf5c8ef08 100644 --- a/RELEASE-NOTES-1.23 +++ b/RELEASE-NOTES-1.23 @@ -18,6 +18,9 @@ production. exception metadata to JSON and logs it to the 'exception-json' log group. This makes MediaWiki easier to integrate with log aggregation and analysis tools. +* $wgSquidServersNoPurge now supports the use of Classless Inter-Domain + Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6 + addresses that should be trusted to provide X-Forwarded-For headers. === New features in 1.23 === * ResourceLoader can utilize the Web Storage API to cache modules client-side. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 92bb05e92d..2d1ddcb2c4 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -2285,7 +2285,8 @@ $wgSquidServers = array(); /** * As above, except these servers aren't purged on page changes; use to set a - * list of trusted proxies, etc. + * list of trusted proxies, etc. Supports both individual IP addresses and + * CIDR blocks. */ $wgSquidServersNoPurge = array(); diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index bf1c4059d4..4efd3473f7 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -80,7 +80,19 @@ function wfIsTrustedProxy( $ip ) { */ function wfIsConfiguredProxy( $ip ) { global $wgSquidServers, $wgSquidServersNoPurge; - $trusted = in_array( $ip, $wgSquidServers ) || - in_array( $ip, $wgSquidServersNoPurge ); + + // quick check of known proxy servers + $trusted = in_array( $ip, $wgSquidServers ); + + if ( !$trusted ) { + // slightly slower check to see if the ip is listed directly or in a CIDR + // block in $wgSquidServersNoPurge + foreach ( $wgSquidServersNoPurge as $block ) { + if ( IP::isInRange( $ip, $block ) ) { + $trusted = true; + break; + } + } + } return $trusted; } diff --git a/tests/phpunit/includes/WebRequestTest.php b/tests/phpunit/includes/WebRequestTest.php index f8ed14b646..06ed1fd20e 100644 --- a/tests/phpunit/includes/WebRequestTest.php +++ b/tests/phpunit/includes/WebRequestTest.php @@ -269,6 +269,28 @@ class WebRequestTest extends MediaWikiTestCase { false, 'With X-Forwaded-For and private IP and hook (disallowed)' ), + array( + '12.0.0.1', + array( + 'REMOTE_ADDR' => 'abcd:0001:002:03:4:555:6666:7777', + 'HTTP_X_FORWARDED_FOR' => '12.0.0.1, abcd:0001:002:03:4:555:6666:7777', + ), + array( 'ABCD:1:2:3::/64' ), + array(), + false, + 'IPv6 CIDR' + ), + array( + '12.0.0.3', + array( + 'REMOTE_ADDR' => '12.0.0.1', + 'HTTP_X_FORWARDED_FOR' => '12.0.0.3, 12.0.0.2' + ), + array( '12.0.0.0/24' ), + array(), + false, + 'IPv4 CIDR' + ), ); } @@ -277,6 +299,14 @@ class WebRequestTest extends MediaWikiTestCase { * @covers WebRequest::getIP */ public function testGetIpLackOfRemoteAddrThrowAnException() { + // ensure that local install state doesn't interfere with test + $this->setMwGlobals( array( + 'wgSquidServersNoPurge' => array(), + 'wgSquidServers' => array(), + 'wgUsePrivateIPs' => false, + 'wgHooks' => array(), + ) ); + $request = new WebRequest(); # Next call throw an exception about lacking an IP $request->getIP();