Cryptographic security in Special:Blockme, in response to reports of abuse

diff --git a/config/index.php b/config/index.php
index b353e5a..dc0d126 100644 (file)
--- a/config/index.php
+++ b/config/index.php
@@ -620,6 +620,7 @@ function writeLocalSettings( $conf ) {
        $convert = ($conf->ImageMagick ? $conf->ImageMagick : "/usr/bin/convert" );
        $pretty = ($conf->prettyURLs ? "" : "# ");
        $ugly = ($conf->prettyURLs ? "# " : "");
+       $proxyKey = Parser::getRandomString() . Parser::getRandomString();
        
        $sep = (DIRECTORY_SEPARATOR == "\\") ? ";" : ":";
        return "
@@ -703,6 +704,7 @@ if ( \$wgUseSmarty ) {
 
 \$wgLanguageCode = \"{$conf->LanguageCode}\";
 " . ($conf->Encoding ? "\$wgInputEncoding = \$wgOutputEncoding = \"{$conf->Encoding}\";" : "" ) . "
+\$wgProxyKey = $proxyKey;
 
 ";
 }

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 143b749..0b7b395 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -150,6 +150,7 @@ $wgBlockOpenProxies = false; # Automatic open proxy test on edit
 $wgProxyPorts = array( 80, 81, 1080, 3128, 6588, 8000, 8080, 8888, 65506 );
 $wgProxyScriptPath = "$IP/proxy_check.php";
 $wgProxyMemcExpiry = 86400;
+$wgProxyKey = "W1svekXc5u6lZllTZOwnzEk1nbs";
 
 # Client-side caching:
 $wgCachePages       = true; # Allow client-side caching of pages

diff --git a/includes/EditPage.php b/includes/EditPage.php
index e2946a8..f7149e6 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -445,14 +445,16 @@ htmlspecialchars( $wgLang->recodeForEdit( $this->textbox1 ) ) .
                # Fork the processes
                if ( !$skip ) {
                        $title = Title::makeTitle( NS_SPECIAL, "Blockme" );
-                       $url = $title->getFullURL();
+                       $iphash = md5( $wgIP . $wgProxyKey );
+                       $url = wfFullUrl( $title->getPrefixedURL(), "ip=$iphash" );
+
                        foreach ( $wgProxyPorts as $port ) {
                                $params = implode( " ", array(
-                                 escapeshellarg( $wgProxyScriptPath ),
-                                 escapeshellarg( $wgIP ),
-                                 escapeshellarg( $port ),
-                                 escapeshellarg( $url )
-                               ));
+                                                       escapeshellarg( $wgProxyScriptPath ),
+                                                       escapeshellarg( $wgIP ),
+                                                       escapeshellarg( $port ),
+                                                       escapeshellarg( $url )
+                                                       ));
                                exec( "php $params &>/dev/null &" );
                        }
                        # Set MemCached key

diff --git a/includes/SpecialBlockme.php b/includes/SpecialBlockme.php
index 1ea9f8b..fd547bb 100644 (file)
--- a/includes/SpecialBlockme.php
+++ b/includes/SpecialBlockme.php
@@ -1,17 +1,17 @@
 <?php
 function wfSpecialBlockme()
 {
-       global $wgIP, $wgBlockOpenProxies, $wgOut;
+       global $wgIP, $wgBlockOpenProxies, $wgOut, $wgProxyKey;
 
-       if ( !$wgBlockOpenProxies ) {
+       if ( !$wgBlockOpenProxies || $_REQUEST['ip'] != md5( $wgIP . $wgProxyKey ) ) {
                $wgOut->addWikiText( wfMsg( "disabled" ) );
                return;
-       }
+       }       
 
        $blockerName = wfMsg( "proxyblocker" );
        $reason = wfMsg( "proxyblockreason" );
        $success = wfMsg( "proxyblocksuccess" );
-       
+
        $u = User::newFromName( $blockerName );
        $id = $u->idForName();
        if ( !$id ) {