X-Git-Url: http://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2FProxyTools.php;h=7b8e144deea5c034041837c5259d754cc5588957;hb=74e1db122f5b461f6a02e0c6e88582c5c8e2c1a4;hp=5e0f6dde7f630f46154ef02a9fda924802b3185c;hpb=559417280674b947e93542477246452f1c2eab99;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index 5e0f6dde7f..7b8e144dee 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -4,8 +4,21 @@ * @package MediaWiki */ -if ( !defined( 'MEDIAWIKI' ) ) { - die(); +function wfGetForwardedFor() { + if( function_exists( 'apache_request_headers' ) ) { + // More reliable than $_SERVER due to case and -/_ folding + $set = apache_request_headers(); + $index = 'X-Forwarded-For'; + } else { + // Subject to spoofing with headers like X_Forwarded_For + $set = $_SERVER; + $index = 'HTTP_X_FORWARDED_FOR'; + } + if( isset( $set[$index] ) ) { + return $set[$index]; + } else { + return null; + } } /** Work out the IP address based on various globals */ @@ -32,8 +45,9 @@ function wfGetIP() { $trustedProxies = array_flip( array_merge( $wgSquidServers, $wgSquidServersNoPurge ) ); if ( count( $trustedProxies ) ) { # Append XFF on to $ipchain - if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { - $xff = array_map( 'trim', explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ) ); + $forwardedFor = wfGetForwardedFor(); + if ( isset( $forwardedFor ) ) { + $xff = array_map( 'trim', explode( ',', $forwardedFor ) ); $xff = array_reverse( $xff ); $ipchain = array_merge( $ipchain, $xff ); } @@ -55,7 +69,10 @@ function wfGetIP() { return $ip; } -/** */ +/** + * Given an IP address in dotted-quad notation, returns an unsigned integer. + * Like ip2long() except that it actually works and has a consistent error return value. + */ function wfIP2Unsigned( $ip ) { $n = ip2long( $ip ); if ( $n == -1 || $n === false ) { # Return value on error depends on PHP version @@ -67,7 +84,18 @@ function wfIP2Unsigned( $ip ) { } /** - * Determine if an IP address really is an IP address, and if it is public, + * Return a zero-padded hexadecimal representation of an IP address + */ +function wfIP2Hex( $ip ) { + $n = wfIP2Unsigned( $ip ); + if ( $n !== false ) { + $n = sprintf( '%08X', $n ); + } + return $n; +} + +/** + * Determine if an IP address really is an IP address, and if it is public, * i.e. not RFC 1918 or similar */ function wfIsIPPublic( $ip ) { @@ -104,13 +132,14 @@ function wfIsIPPublic( $ip ) { function wfProxyCheck() { global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath; global $wgUseMemCached, $wgMemc, $wgDBname, $wgProxyMemcExpiry; + global $wgProxyKey; if ( !$wgBlockOpenProxies ) { return; } $ip = wfGetIP(); - + # Get MemCached key $skip = false; if ( $wgUseMemCached ) { @@ -143,4 +172,56 @@ function wfProxyCheck() { } } +/** + * Convert a network specification in CIDR notation to an integer network and a number of bits + */ +function wfParseCIDR( $range ) { + $parts = explode( '/', $range, 2 ); + if ( count( $parts ) != 2 ) { + return array( false, false ); + } + $network = wfIP2Unsigned( $parts[0] ); + if ( $network !== false && is_numeric( $parts[1] ) && $parts[1] >= 0 && $parts[1] <= 32 ) { + $bits = $parts[1]; + } else { + $network = false; + $bits = false; + } + return array( $network, $bits ); +} + +/** + * Check if an IP address is in the local proxy list + */ +function wfIsLocallyBlockedProxy( $ip ) { + global $wgProxyList; + $fname = 'wfIsLocallyBlockedProxy'; + + if ( !$wgProxyList ) { + return false; + } + wfProfileIn( $fname ); + + if ( !is_array( $wgProxyList ) ) { + # Load from the specified file + $wgProxyList = array_map( 'trim', file( $wgProxyList ) ); + } + + if ( !is_array( $wgProxyList ) ) { + $ret = false; + } elseif ( array_search( $ip, $wgProxyList ) !== false ) { + $ret = true; + } elseif ( array_key_exists( $ip, $wgProxyList ) ) { + # Old-style flipped proxy list + $ret = true; + } else { + $ret = false; + } + wfProfileOut( $fname ); + return $ret; +} + + + + ?>