/** * Checks if an IP is a trusted proxy provider. * Useful to tell if X-Forwarded-For data is possibly bogus. * Squid cache servers for the site are whitelisted. * @deprecated Since 1.24, use IP::isTrustedProxy() * * @param string $ip * @return bool */ function wfIsTrustedProxy($ip) { wfDeprecated(__METHOD__, '1.24'); return IP::isTrustedProxy($ip); }
/** * Get all blocks that match any IP from an array of IP addresses * * @param array $ipChain List of IPs (strings), usually retrieved from the * X-Forwarded-For header of the request * @param bool $isAnon Exclude anonymous-only blocks if false * @param bool $fromMaster Whether to query the master or slave database * @return array Array of Blocks * @since 1.22 */ public static function getBlocksForIPList(array $ipChain, $isAnon, $fromMaster = false) { if (!count($ipChain)) { return array(); } wfProfileIn(__METHOD__); $conds = array(); foreach (array_unique($ipChain) as $ipaddr) { # Discard invalid IP addresses. Since XFF can be spoofed and we do not # necessarily trust the header given to us, make sure that we are only # checking for blocks on well-formatted IP addresses (IPv4 and IPv6). # Do not treat private IP spaces as special as it may be desirable for wikis # to block those IP ranges in order to stop misbehaving proxies that spoof XFF. if (!IP::isValid($ipaddr)) { continue; } # Don't check trusted IPs (includes local squids which will be in every request) if (IP::isTrustedProxy($ipaddr)) { continue; } # Check both the original IP (to check against single blocks), as well as build # the clause to check for rangeblocks for the given IP. $conds['ipb_address'][] = $ipaddr; $conds[] = self::getRangeCond(IP::toHex($ipaddr)); } if (!count($conds)) { wfProfileOut(__METHOD__); return array(); } if ($fromMaster) { $db = wfGetDB(DB_MASTER); } else { $db = wfGetDB(DB_SLAVE); } $conds = $db->makeList($conds, LIST_OR); if (!$isAnon) { $conds = array($conds, 'ipb_anon_only' => 0); } $selectFields = array_merge(array('ipb_range_start', 'ipb_range_end'), Block::selectFields()); $rows = $db->select('ipblocks', $selectFields, $conds, __METHOD__); $blocks = array(); foreach ($rows as $row) { $block = self::newFromRow($row); if (!$block->deleteIfExpired()) { $blocks[] = $block; } } wfProfileOut(__METHOD__); return $blocks; }
/** * Work out the IP address based on various globals * For trusted proxies, use the XFF client IP (first of the chain) * * @since 1.19 * * @throws MWException * @return string */ public function getIP() { global $wgUsePrivateIPs; # Return cached result if ($this->ip !== null) { return $this->ip; } # collect the originating ips $ip = $this->getRawIP(); if (!$ip) { throw new MWException('Unable to determine IP.'); } # Append XFF $forwardedFor = $this->getHeader('X-Forwarded-For'); if ($forwardedFor !== false) { $isConfigured = IP::isConfiguredProxy($ip); $ipchain = array_map('trim', explode(',', $forwardedFor)); $ipchain = array_reverse($ipchain); array_unshift($ipchain, $ip); # Step through XFF list and find the last address in the list which is a # trusted server. Set $ip to the IP address given by that trusted server, # unless the address is not sensible (e.g. private). However, prefer private # IP addresses over proxy servers controlled by this site (more sensible). # Note that some XFF values might be "unknown" with Squid/Varnish. foreach ($ipchain as $i => $curIP) { $curIP = IP::sanitizeIP(IP::canonicalize($curIP)); if (!$curIP || !isset($ipchain[$i + 1]) || $ipchain[$i + 1] === 'unknown' || !IP::isTrustedProxy($curIP)) { break; // IP is not valid/trusted or does not point to anything } if (IP::isPublic($ipchain[$i + 1]) || $wgUsePrivateIPs || IP::isConfiguredProxy($curIP)) { // Follow the next IP according to the proxy $nextIP = IP::canonicalize($ipchain[$i + 1]); if (!$nextIP && $isConfigured) { // We have not yet made it past CDN/proxy servers of this site, // so either they are misconfigured or there is some IP spoofing. throw new MWException("Invalid IP given in XFF '{$forwardedFor}'."); } $ip = $nextIP; // keep traversing the chain continue; } break; } } # Allow extensions to improve our guess Hooks::run('GetIP', array(&$ip)); if (!$ip) { throw new MWException("Unable to determine IP."); } wfDebug("IP: {$ip}\n"); $this->ip = $ip; return $ip; }
/** * Checks if an IP is a trusted proxy provider. * Useful to tell if X-Forwarded-For data is possibly bogus. * Squid cache servers for the site are whitelisted. * @deprecated Since 1.24, use IP::isTrustedProxy() * * @param string $ip * @return bool */ function wfIsTrustedProxy($ip) { return IP::isTrustedProxy($ip); }