From: Tim Starling Date: Sat, 25 Nov 2006 16:24:44 +0000 (+0000) Subject: * Added temporary special-case AOL proxy detection, they're automatically counted... X-Git-Tag: 1.31.0-rc.0~55083 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/modifier.php?a=commitdiff_plain;h=a3a6ac13c3285b7c61f4c843656b11820dd46eff;p=lhc%2Fweb%2Fwiklou.git * Added temporary special-case AOL proxy detection, they're automatically counted as trusted proxies for now. * Removed wfRangeStartEnd() and wfIsAddressInRange() -- avoid proliferation of global functions. --- diff --git a/includes/Block.php b/includes/Block.php index 14c87a8362..ff0478ef82 100644 --- a/includes/Block.php +++ b/includes/Block.php @@ -241,10 +241,10 @@ class Block /** * Determine if a given integer IPv4 address is in a given CIDR network - * @deprecated Use wfIsAddressInRange + * @deprecated Use IP::isAddressInRange */ function isAddressInRange( $addr, $range ) { - return wfIsAddressInRange( $addr, $range ); + return IP::isAddressInRange( $addr, $range ); } function initFromRow( $row ) @@ -275,9 +275,7 @@ class Block $this->mRangeEnd = ''; if ( $this->mUser == 0 ) { - $startend = wfRangeStartEnd($this->mAddress); - $this->mRangeStart = $startend[0]; - $this->mRangeEnd = $startend[1]; + list( $this->mRangeStart, $this->mRangeEnd ) = IP::parseCIDR( $this->mAddress ); } } @@ -407,7 +405,7 @@ class Block *@return Whether or not a retroactive autoblock was made. */ function doRetroactiveAutoblock() { - $dbr = wfGetDb( DB_SLAVE ); + $dbr = wfGetDB( DB_SLAVE ); #If autoblock is enabled, autoblock the LAST IP used # - stolen shamelessly from CheckUser_body.php @@ -435,7 +433,7 @@ class Block */ function doAutoblock( $autoblockip ) { # Check if this IP address is already blocked - $dbw =& wfGetDb( DB_MASTER ); + $dbw =& wfGetDB( DB_MASTER ); $dbw->begin(); # If autoblocks are disabled, go away. @@ -463,7 +461,7 @@ class Block wfDebug("Checking $wlEntry\n"); # Is the IP in this range? - if (wfIsAddressInRange( $ip, $wlEntry )) { + if (IP::isInRange( $ip, $wlEntry )) { wfDebug("IP $ip matches $wlEntry, not autoblocking\n"); #$autoblockip = null; # Don't autoblock a whitelisted IP. return; #This /SHOULD/ introduce a dummy block - but diff --git a/includes/IP.php b/includes/IP.php index f3ff34278a..5bd2a2363f 100644 --- a/includes/IP.php +++ b/includes/IP.php @@ -206,6 +206,19 @@ class IP { } else { return array( $start, $end ); } - } + } + + /** + * Determine if a given integer IPv4 address is in a given CIDR network + * @param $addr The address to check against the given range. + * @param $range The range to check the given address against. + * @return bool Whether or not the given address is in the given range. + */ + function isInRange( $addr, $range ) { + $unsignedIP = IP::toUnsigned($addr); + list( $start, $end ) = IP::parseRange($range); + + return (($unsignedIP >= $start) && ($unsignedIP <= $end)); + } } ?> diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index fde896595f..1b65406d95 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -23,7 +23,7 @@ function wfGetForwardedFor() { /** Work out the IP address based on various globals */ function wfGetIP() { - global $wgSquidServers, $wgSquidServersNoPurge, $wgIP; + global $wgIP; # Return cached result if ( !empty( $wgIP ) ) { @@ -40,27 +40,22 @@ function wfGetIP() { } $ip = $ipchain[0]; - # Get list of trusted proxies - # Flipped for quicker access - $trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) ); - if ( count( $trustedProxies ) ) { - # Append XFF on to $ipchain - $forwardedFor = wfGetForwardedFor(); - if ( isset( $forwardedFor ) ) { - $xff = array_map( 'trim', explode( ',', $forwardedFor ) ); - $xff = array_reverse( $xff ); - $ipchain = array_merge( $ipchain, $xff ); - } - # Step through XFF list and find the last address in the list which is a trusted server - # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private) - foreach ( $ipchain as $i => $curIP ) { - if ( array_key_exists( $curIP, $trustedProxies ) ) { - if ( isset( $ipchain[$i + 1] ) && IP::isPublic( $ipchain[$i + 1] ) ) { - $ip = $ipchain[$i + 1]; - } - } else { - break; + # Append XFF on to $ipchain + $forwardedFor = wfGetForwardedFor(); + if ( isset( $forwardedFor ) ) { + $xff = array_map( 'trim', explode( ',', $forwardedFor ) ); + $xff = array_reverse( $xff ); + $ipchain = array_merge( $ipchain, $xff ); + } + # Step through XFF list and find the last address in the list which is a trusted server + # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private) + foreach ( $ipchain as $i => $curIP ) { + if ( wfIsTrustedProxy( $curIP ) ) { + if ( isset( $ipchain[$i + 1] ) && IP::isPublic( $ipchain[$i + 1] ) ) { + $ip = $ipchain[$i + 1]; } + } else { + break; } } @@ -69,6 +64,21 @@ function wfGetIP() { return $ip; } +function wfIsTrustedProxy( $ip ) { + global $wgSquidServers, $wgSquidServersNoPurge; + + if ( in_array( $ip, $wgSquidServers ) || + in_array( $ip, $wgSquidServersNoPurge ) || + wfIsAOLProxy( $ip ) + ) { + $trusted = true; + } else { + $trusted = false; + } + wfRunHooks( 'IsTrustedProxy', array( &$ip, &$trusted ) ); + return $trusted; +} + /** * Forks processes to scan the originating IP for an open proxy server * MemCached can be used to skip IPs that have already been scanned @@ -154,6 +164,51 @@ function wfIsLocallyBlockedProxy( $ip ) { return $ret; } +/** + * TODO: move this list to the database in a global IP info table incorporating + * trusted ISP proxies, blocked IP addresses and open proxies. + */ +function wfIsAOLProxy( $ip ) { + $ranges = array( + '64.12.96.0/19', + '149.174.160.0/20', + '152.163.240.0/21', + '152.163.248.0/22', + '152.163.252.0/23', + '152.163.96.0/22', + '152.163.100.0/23', + '195.93.32.0/22', + '195.93.48.0/22', + '195.93.64.0/19', + '195.93.96.0/19', + '195.93.16.0/20', + '198.81.0.0/22', + '198.81.16.0/20', + '198.81.8.0/23', + '202.67.64.128/25', + '205.188.192.0/20', + '205.188.208.0/23', + '205.188.112.0/20', + '205.188.146.144/30', + '207.200.112.0/21', + ); + + static $parsedRanges; + if ( is_null( $parsedRanges ) ) { + $parsedRanges = array(); + foreach ( $ranges as $range ) { + $parsedRanges[] = IP::parseRange( $range ); + } + } + + $hex = IP::toHex( $ip ); + foreach ( $parsedRanges as $range ) { + if ( $hex >= $range[0] && $hex <= $range[1] ) { + return true; + } + } + return false; +}