includes/ProxyTools.php

   1 <?php
   2 /**
   3  * Functions for dealing with proxies
   4  *
   5  * @file
   6  */
   7
   8 /**
   9  * Extracts the XFF string from the request header
  10  * Note: headers are spoofable
  11  * @return string
  12  */
  13 function wfGetForwardedFor() {
  14         $apacheHeaders = function_exists( 'apache_request_headers' ) ? apache_request_headers() : null;
  15         if( is_array( $apacheHeaders ) ) {
  16                 // More reliable than $_SERVER due to case and -/_ folding
  17                 $set = array();
  18                 foreach ( $apacheHeaders as $tempName => $tempValue ) {
  19                         $set[ strtoupper( $tempName ) ] = $tempValue;
  20                 }
  21                 $index = strtoupper ( 'X-Forwarded-For' );
  22         } else {
  23                 // Subject to spoofing with headers like X_Forwarded_For
  24                 $set = $_SERVER;
  25                 $index = 'HTTP_X_FORWARDED_FOR';
  26         }
  27
  28         #Try to see if XFF is set
  29         if( isset( $set[$index] ) ) {
  30                 return $set[$index];
  31         } else {
  32                 return null;
  33         }
  34 }
  35
  36 /**
  37  * Returns the browser/OS data from the request header
  38  * Note: headers are spoofable
  39  *
  40  * @deprecated in 1.18; use $wgRequest->getHeader( 'User-Agent' ) instead.
  41  * @return string
  42  */
  43 function wfGetAgent() {
  44         wfDeprecated( __FUNCTION__ );
  45         if( function_exists( 'apache_request_headers' ) ) {
  46                 // More reliable than $_SERVER due to case and -/_ folding
  47                 $set = array();
  48                 foreach ( apache_request_headers() as $tempName => $tempValue ) {
  49                         $set[ strtoupper( $tempName ) ] = $tempValue;
  50                 }
  51                 $index = strtoupper ( 'User-Agent' );
  52         } else {
  53                 // Subject to spoofing with headers like X_Forwarded_For
  54                 $set = $_SERVER;
  55                 $index = 'HTTP_USER_AGENT';
  56         }
  57         if( isset( $set[$index] ) ) {
  58                 return $set[$index];
  59         } else {
  60                 return '';
  61         }
  62 }
  63
  64 /**
  65  * Work out the IP address based on various globals
  66  * For trusted proxies, use the XFF client IP (first of the chain)
  67  * @return string
  68  */
  69 function wfGetIP() {
  70         global $wgUsePrivateIPs, $wgCommandLineMode;
  71         static $ip = false;
  72
  73         # Return cached result
  74         if ( !empty( $ip ) ) {
  75                 return $ip;
  76         }
  77
  78         /* collect the originating ips */
  79         # Client connecting to this webserver
  80         if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
  81                 $ip = IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
  82         } elseif( $wgCommandLineMode ) {
  83                 $ip = '127.0.0.1';
  84         }
  85
  86         # Append XFF
  87         $forwardedFor = wfGetForwardedFor();
  88         if ( $forwardedFor !== null ) {
  89                 $ipchain = array_map( 'trim', explode( ',', $forwardedFor ) );
  90                 $ipchain = array_reverse( $ipchain );
  91                 if ( $ip ) {
  92                         array_unshift( $ipchain, $ip );
  93                 }
  94
  95                 # Step through XFF list and find the last address in the list which is a trusted server
  96                 # Set $ip to the IP address given by that trusted server, unless the address is not sensible (e.g. private)
  97                 foreach ( $ipchain as $i => $curIP ) {
  98                         $curIP = IP::canonicalize( $curIP );
  99                         if ( wfIsTrustedProxy( $curIP ) ) {
 100                                 if ( isset( $ipchain[$i + 1] ) ) {
 101                                         if( $wgUsePrivateIPs || IP::isPublic( $ipchain[$i + 1 ] ) ) {
 102                                                 $ip = $ipchain[$i + 1];
 103                                         }
 104                                 }
 105                         } else {
 106                                 break;
 107                         }
 108                 }
 109         }
 110
 111         # Allow extensions to improve our guess
 112         wfRunHooks( 'GetIP', array( &$ip ) );
 113
 114         if( !$ip ) {
 115                 throw new MWException( "Unable to determine IP" );
 116         }
 117
 118         wfDebug( "IP: $ip\n" );
 119         return $ip;
 120 }
 121
 122 /**
 123  * Checks if an IP is a trusted proxy providor
 124  * Useful to tell if X-Fowarded-For data is possibly bogus
 125  * Squid cache servers for the site and AOL are whitelisted
 126  * @param $ip String
 127  * @return bool
 128  */
 129 function wfIsTrustedProxy( $ip ) {
 130         global $wgSquidServers, $wgSquidServersNoPurge;
 131
 132         $trusted = in_array( $ip, $wgSquidServers ) ||
 133                 in_array( $ip, $wgSquidServersNoPurge );
 134         wfRunHooks( 'IsTrustedProxy', array( &$ip, &$trusted ) );
 135         return $trusted;
 136 }
 137
 138 /**
 139  * Forks processes to scan the originating IP for an open proxy server
 140  * MemCached can be used to skip IPs that have already been scanned
 141  */
 142 function wfProxyCheck() {
 143         global $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath;
 144         global $wgMemc, $wgProxyMemcExpiry;
 145         global $wgProxyKey;
 146
 147         if ( !$wgBlockOpenProxies ) {
 148                 return;
 149         }
 150
 151         $ip = wfGetIP();
 152
 153         # Get MemCached key
 154         $mcKey = wfMemcKey( 'proxy', 'ip', $ip );
 155         $mcValue = $wgMemc->get( $mcKey );
 156         $skip = (bool)$mcValue;
 157
 158         # Fork the processes
 159         if ( !$skip ) {
 160                 $title = SpecialPage::getTitleFor( 'Blockme' );
 161                 $iphash = md5( $ip . $wgProxyKey );
 162                 $url = $title->getFullURL( 'ip='.$iphash );
 163
 164                 foreach ( $wgProxyPorts as $port ) {
 165                         $params = implode( ' ', array(
 166                                                 escapeshellarg( $wgProxyScriptPath ),
 167                                                 escapeshellarg( $ip ),
 168                                                 escapeshellarg( $port ),
 169                                                 escapeshellarg( $url )
 170                                                 ));
 171                         exec( "php $params >" . wfGetNull() . " 2>&1 &" );
 172                 }
 173                 # Set MemCached key
 174                 $wgMemc->set( $mcKey, 1, $wgProxyMemcExpiry );
 175         }
 176 }