From 382ed18a64ee979aca8c4f8304a545211384130e Mon Sep 17 00:00:00 2001 From: Aaron Schulz Date: Wed, 18 Sep 2013 14:25:17 -0700 Subject: [PATCH] Detect invalid IPs in XFFs and give a more useful error message * This will only error out if we are stuck with a CDN or site proxy IP Bug: 54288 Change-Id: Ib81e06527c2f7a8d9c288b56c0f46610a4517f74 --- includes/WebRequest.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/includes/WebRequest.php b/includes/WebRequest.php index 23eee04044..b17cb9ec5e 100644 --- a/includes/WebRequest.php +++ b/includes/WebRequest.php @@ -1144,10 +1144,17 @@ HTML; foreach ( $ipchain as $i => $curIP ) { $curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) ); if ( wfIsTrustedProxy( $curIP ) && isset( $ipchain[$i + 1] ) ) { - if ( wfIsConfiguredProxy( $curIP ) || // bug 48919 - ( IP::isPublic( $ipchain[$i + 1] ) || $wgUsePrivateIPs ) + if ( wfIsConfiguredProxy( $curIP ) || // bug 48919; treat IP as sane + IP::isPublic( $ipchain[$i + 1] ) || + $wgUsePrivateIPs ) { - $ip = IP::canonicalize( $ipchain[$i + 1] ); + $nextIP = IP::canonicalize( $ipchain[$i + 1] ); + if ( !$nextIP && wfIsConfiguredProxy( $ip ) ) { + // We have not yet made it past CDN/proxy servers of this site, + // so either they are misconfigured or there is some IP spoofing. + throw new MWException( "Invalid IP given in XFF '$forwardedFor'." ); + } + $ip = $nextIP; continue; } } @@ -1159,7 +1166,7 @@ HTML; wfRunHooks( 'GetIP', array( &$ip ) ); if ( !$ip ) { - throw new MWException( "Unable to determine IP" ); + throw new MWException( "Unable to determine IP." ); } wfDebug( "IP: $ip\n" ); -- 2.20.1