/**
* Checks if an IP is a trusted proxy provider.
* Useful to tell if X-Forwarded-For data is possibly bogus.
* Squid cache servers for the site are whitelisted.
* @deprecated Since 1.24, use IP::isTrustedProxy()
*
* @param string $ip
* @return bool
*/
function wfIsTrustedProxy($ip)
{
wfDeprecated(__METHOD__, '1.24');
return IP::isTrustedProxy($ip);
}
/**
* Get all blocks that match any IP from an array of IP addresses
*
* @param array $ipChain List of IPs (strings), usually retrieved from the
* X-Forwarded-For header of the request
* @param bool $isAnon Exclude anonymous-only blocks if false
* @param bool $fromMaster Whether to query the master or slave database
* @return array Array of Blocks
* @since 1.22
*/
public static function getBlocksForIPList(array $ipChain, $isAnon, $fromMaster = false)
{
if (!count($ipChain)) {
return array();
}
wfProfileIn(__METHOD__);
$conds = array();
foreach (array_unique($ipChain) as $ipaddr) {
# Discard invalid IP addresses. Since XFF can be spoofed and we do not
# necessarily trust the header given to us, make sure that we are only
# checking for blocks on well-formatted IP addresses (IPv4 and IPv6).
# Do not treat private IP spaces as special as it may be desirable for wikis
# to block those IP ranges in order to stop misbehaving proxies that spoof XFF.
if (!IP::isValid($ipaddr)) {
continue;
}
# Don't check trusted IPs (includes local squids which will be in every request)
if (IP::isTrustedProxy($ipaddr)) {
continue;
}
# Check both the original IP (to check against single blocks), as well as build
# the clause to check for rangeblocks for the given IP.
$conds['ipb_address'][] = $ipaddr;
$conds[] = self::getRangeCond(IP::toHex($ipaddr));
}
if (!count($conds)) {
wfProfileOut(__METHOD__);
return array();
}
if ($fromMaster) {
$db = wfGetDB(DB_MASTER);
} else {
$db = wfGetDB(DB_SLAVE);
}
$conds = $db->makeList($conds, LIST_OR);
if (!$isAnon) {
$conds = array($conds, 'ipb_anon_only' => 0);
}
$selectFields = array_merge(array('ipb_range_start', 'ipb_range_end'), Block::selectFields());
$rows = $db->select('ipblocks', $selectFields, $conds, __METHOD__);
$blocks = array();
foreach ($rows as $row) {
$block = self::newFromRow($row);
if (!$block->deleteIfExpired()) {
$blocks[] = $block;
}
}
wfProfileOut(__METHOD__);
return $blocks;
}
/**
* Work out the IP address based on various globals
* For trusted proxies, use the XFF client IP (first of the chain)
*
* @since 1.19
*
* @throws MWException
* @return string
*/
public function getIP()
{
global $wgUsePrivateIPs;
# Return cached result
if ($this->ip !== null) {
return $this->ip;
}
# collect the originating ips
$ip = $this->getRawIP();
if (!$ip) {
throw new MWException('Unable to determine IP.');
}
# Append XFF
$forwardedFor = $this->getHeader('X-Forwarded-For');
if ($forwardedFor !== false) {
$isConfigured = IP::isConfiguredProxy($ip);
$ipchain = array_map('trim', explode(',', $forwardedFor));
$ipchain = array_reverse($ipchain);
array_unshift($ipchain, $ip);
# Step through XFF list and find the last address in the list which is a
# trusted server. Set $ip to the IP address given by that trusted server,
# unless the address is not sensible (e.g. private). However, prefer private
# IP addresses over proxy servers controlled by this site (more sensible).
# Note that some XFF values might be "unknown" with Squid/Varnish.
foreach ($ipchain as $i => $curIP) {
$curIP = IP::sanitizeIP(IP::canonicalize($curIP));
if (!$curIP || !isset($ipchain[$i + 1]) || $ipchain[$i + 1] === 'unknown' || !IP::isTrustedProxy($curIP)) {
break;
// IP is not valid/trusted or does not point to anything
}
if (IP::isPublic($ipchain[$i + 1]) || $wgUsePrivateIPs || IP::isConfiguredProxy($curIP)) {
// Follow the next IP according to the proxy
$nextIP = IP::canonicalize($ipchain[$i + 1]);
if (!$nextIP && $isConfigured) {
// We have not yet made it past CDN/proxy servers of this site,
// so either they are misconfigured or there is some IP spoofing.
throw new MWException("Invalid IP given in XFF '{$forwardedFor}'.");
}
$ip = $nextIP;
// keep traversing the chain
continue;
}
break;
}
}
# Allow extensions to improve our guess
Hooks::run('GetIP', array(&$ip));
if (!$ip) {
throw new MWException("Unable to determine IP.");
}
wfDebug("IP: {$ip}\n");
$this->ip = $ip;
return $ip;
}
/**
* Checks if an IP is a trusted proxy provider.
* Useful to tell if X-Forwarded-For data is possibly bogus.
* Squid cache servers for the site are whitelisted.
* @deprecated Since 1.24, use IP::isTrustedProxy()
*
* @param string $ip
* @return bool
*/
function wfIsTrustedProxy($ip)
{
return IP::isTrustedProxy($ip);
}
