On Tue, Mar 19, 2013 at 05:12:23PM -0400, canyonknight wrote:
> On Tue, Mar 19, 2013 at 9:23 AM, Lukas Fleischer
> <archli...@cryptocrack.de> wrote:
> > This allows for specifying a list of IP addresses that will no longer be
> > able to register new accounts and login. The list of banned IP addresses
> > can be configured in "web/lib/config.inc.php".
> >
> > Signed-off-by: Lukas Fleischer <archli...@cryptocrack.de>
> > ---
>
> What are your thoughts on taking this a step further and adding a
> "bans" table to the DB schema? It could eventually be extended to
> allow for TUs and Developers to ban IP addresses directly from the web
> interface without ever having to muck around with the config file.
Exactly what I was planning to do.
We should also display each user's last login IP address in his profile
(only visible to developers and TUs) and add a "Ban this IP address"
button next to it. The "Save last login IP address" patch I submitted
already adds the IP address to the Users table.
Oh, and we might want to exclude TUs and developers from IP bans.
>
> > web/lib/acctfuncs.inc.php | 24 +++++++++++++++++++++---
> > web/lib/config.inc.php.proto | 3 +++
> > 2 files changed, 24 insertions(+), 3 deletions(-)
> >
> > diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> > index aabb096..c202f47 100644
> > --- a/web/lib/acctfuncs.inc.php
> > +++ b/web/lib/acctfuncs.inc.php
> > @@ -91,7 +91,17 @@ function
> > process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
> > $P="",$C="",$R="",$L="",$I="",$K="",$UID=0) {
> >
> > # error check and process request for a new/modified account
> > - global $SUPPORTED_LANGS, $AUR_LOCATION;
> > + global $SUPPORTED_LANGS, $AUR_LOCATION, $BANNED_IPS;
> > +
> > + $error = "";
> > +
> > + if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) {
> > + $error = __('The login form is currently ' .
> > + 'disabled for your IP address, probably due ' .
> > + 'to sustained spam attacks. Sorry for the ' .
> > + 'inconvenience -- we hope to be back up ' .
> > + 'soon.');
> > + }
> >
> > $dbh = DB::connect();
> >
> > @@ -102,7 +112,6 @@ function
> > process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
> > $editor_user = null;
> > }
> >
> > - $error = "";
> > if (empty($E) || empty($U)) {
> > $error = __("Missing a required field.");
> > }
> > @@ -393,13 +402,22 @@ function
> > search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
> > * @return array Session ID for user, error message if applicable
> > */
> > function try_login() {
> > - global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
> > + global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT,
> > $BANNED_IPS;
> >
> > $login_error = "";
> > $new_sid = "";
> > $userID = null;
> >
> > if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
> > + if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) {
> > + $login_error = __('The login form is currently ' .
> > + 'disabled for your IP address, probably due
> > ' .
> > + 'to sustained spam attacks. Sorry for the '
> > .
> > + 'inconvenience -- we hope to be back up ' .
> > + 'soon.');
> > + return array('SID' => '', 'error' => $login_error);
> > + }
> > +
> > $dbh = DB::connect();
> > $userID = valid_user($_REQUEST['user']);
> >
> > diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
> > index 1fe7dbc..0422ac5 100644
> > --- a/web/lib/config.inc.php.proto
> > +++ b/web/lib/config.inc.php.proto
> > @@ -59,3 +59,6 @@ $USE_VIRTUAL_URLS = true;
> > # Maximum number of package results to return through an RPC connection.
> > # Avoid setting this too high and having a PHP too much memory error.
> > $MAX_RPC_RESULTS = 5000;
> > +
> > +# Prevent a list of remote addresses from logging in and creating new
> > accounts.
> > +$BANNED_IPS = array();
> > --
> > 1.8.2.480.g556678c
> >
