[MediaWiki-commits] [Gerrit] Support CIDR ranges in $wgSquidServersNoPurge - change (mediawiki/core)

BryanDavis (Code Review) Thu, 07 Nov 2013 12:07:32 -0800

BryanDavis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/94186



Change subject: Support CIDR ranges in $wgSquidServersNoPurge
......................................................................

Support CIDR ranges in $wgSquidServersNoPurge

Use IP::isInRange() in wfIsConfiguredProxy() to allow matching against
CIDR entries in $wgSquidServersNoPurge. This will allow maintainers of
large networks to whitelist contiguous blocks of IPv4 and/or IPv6
addresses as trusted X-Forwarded-For providers.

This change also makes a small change to
WebRequestTest::testGetIpLackOfRemoteAddrThrowAnException() which was
failing under some configurations due to non-default globals
configuration.

Bug: 52829
Change-Id: I49e34bdf13e8e8c6cd169c362c283fe1034bdc6d
---
M RELEASE-NOTES-1.23
M includes/DefaultSettings.php
M includes/ProxyTools.php
M tests/phpunit/includes/WebRequestTest.php
4 files changed, 48 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/86/94186/1

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 04be2a2..bc2db5d 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -18,6 +18,9 @@
   exception metadata to JSON and logs it to the 'exception-json' log group.
   This makes MediaWiki easier to integrate with log aggregation and analysis
   tools.
+* $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
+  Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
+  addressed that should be trusted to provide X-Forwarded-For headers.
 
 === New features in 1.23 ===
 * ResourceLoader can utilize the Web Storage API to cache modules client-side.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 92bb05e..2d1ddcb 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2285,7 +2285,8 @@
 
 /**
  * As above, except these servers aren't purged on page changes; use to set a
- * list of trusted proxies, etc.
+ * list of trusted proxies, etc. Supports both individual IP addresses and
+ * CIDR blocks.
  */
 $wgSquidServersNoPurge = array();
 
diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php
index bf1c405..b561265 100644
--- a/includes/ProxyTools.php
+++ b/includes/ProxyTools.php
@@ -80,7 +80,18 @@
  */
 function wfIsConfiguredProxy( $ip ) {
        global $wgSquidServers, $wgSquidServersNoPurge;
-       $trusted = in_array( $ip, $wgSquidServers ) ||
-               in_array( $ip, $wgSquidServersNoPurge );
+
+       // quick check of known proxy servers
+       $trusted = in_array( $ip, $wgSquidServers );
+
+       if ( !$trusted ) {
+               // slightly slower check to see if the ip is listed directly or 
in a CIDR
+               // block in $wgSquidServersNoPurge
+               foreach ( $wgSquidServersNoPurge as $block ) {
+                       if ( IP::isInRange( $ip, $block ) ) {
+                               return true;
+                       }
+               }
+       }
        return $trusted;
 }
diff --git a/tests/phpunit/includes/WebRequestTest.php 
b/tests/phpunit/includes/WebRequestTest.php
index f8ed14b..06ed1fd 100644
--- a/tests/phpunit/includes/WebRequestTest.php
+++ b/tests/phpunit/includes/WebRequestTest.php
@@ -269,6 +269,28 @@
                                false,
                                'With X-Forwaded-For and private IP and hook 
(disallowed)'
                        ),
+                       array(
+                               '12.0.0.1',
+                               array(
+                                       'REMOTE_ADDR' => 
'abcd:0001:002:03:4:555:6666:7777',
+                                       'HTTP_X_FORWARDED_FOR' => '12.0.0.1, 
abcd:0001:002:03:4:555:6666:7777',
+                               ),
+                               array( 'ABCD:1:2:3::/64' ),
+                               array(),
+                               false,
+                               'IPv6 CIDR'
+                       ),
+                       array(
+                               '12.0.0.3',
+                               array(
+                                       'REMOTE_ADDR' => '12.0.0.1',
+                                       'HTTP_X_FORWARDED_FOR' => '12.0.0.3, 
12.0.0.2'
+                               ),
+                               array( '12.0.0.0/24' ),
+                               array(),
+                               false,
+                               'IPv4 CIDR'
+                       ),
                );
        }
 
@@ -277,6 +299,14 @@
         * @covers WebRequest::getIP
         */
        public function testGetIpLackOfRemoteAddrThrowAnException() {
+               // ensure that local install state doesn't interfere with test
+               $this->setMwGlobals( array(
+                       'wgSquidServersNoPurge' => array(),
+                       'wgSquidServers' => array(),
+                       'wgUsePrivateIPs' => false,
+                       'wgHooks' => array(),
+               ) );
+
                $request = new WebRequest();
                # Next call throw an exception about lacking an IP
                $request->getIP();

-- 
To view, visit https://gerrit.wikimedia.org/r/94186
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I49e34bdf13e8e8c6cd169c362c283fe1034bdc6d
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Support CIDR ranges in $wgSquidServersNoPurge - change (mediawiki/core)

Reply via email to