From: Aaron Schulz <aschulz@wikimedia.org>
Date: Wed, 18 Sep 2013 21:25:17 +0000 (-0700)
Subject: Detect invalid IPs in XFFs and give a more useful error message
X-Git-Tag: 1.31.0-rc.0~18641^2
X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dcompta/operations/supprimer.php?a=commitdiff_plain;h=382ed18a64ee979aca8c4f8304a545211384130e;p=lhc%2Fweb%2Fwiklou.git

Detect invalid IPs in XFFs and give a more useful error message

* This will only error out if we are stuck with a CDN or site proxy IP

Bug: 54288

Change-Id: Ib81e06527c2f7a8d9c288b56c0f46610a4517f74
---

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 23eee04044..b17cb9ec5e 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1144,10 +1144,17 @@ HTML;
 			foreach ( $ipchain as $i => $curIP ) {
 				$curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) );
 				if ( wfIsTrustedProxy( $curIP ) && isset( $ipchain[$i + 1] ) ) {
-					if ( wfIsConfiguredProxy( $curIP ) || // bug 48919
-						( IP::isPublic( $ipchain[$i + 1] ) || $wgUsePrivateIPs )
+					if ( wfIsConfiguredProxy( $curIP ) || // bug 48919; treat IP as sane
+						IP::isPublic( $ipchain[$i + 1] ) ||
+						$wgUsePrivateIPs
 					) {
-						$ip = IP::canonicalize( $ipchain[$i + 1] );
+						$nextIP = IP::canonicalize( $ipchain[$i + 1] );
+						if ( !$nextIP && wfIsConfiguredProxy( $ip ) ) {
+							// We have not yet made it past CDN/proxy servers of this site,
+							// so either they are misconfigured or there is some IP spoofing.
+							throw new MWException( "Invalid IP given in XFF '$forwardedFor'." );
+						}
+						$ip = $nextIP;
 						continue;
 					}
 				}
@@ -1159,7 +1166,7 @@ HTML;
 		wfRunHooks( 'GetIP', array( &$ip ) );
 
 		if ( !$ip ) {
-			throw new MWException( "Unable to determine IP" );
+			throw new MWException( "Unable to determine IP." );
 		}
 
 		wfDebug( "IP: $ip\n" );