jenkins-bot has submitted this change and it was merged.
Change subject: Support CIDR ranges in $wgSquidServersNoPurge
......................................................................
Support CIDR ranges in $wgSquidServersNoPurge
Use IP::isInRange() in wfIsConfiguredProxy() to allow matching against
CIDR entries in $wgSquidServersNoPurge. This will allow maintainers of
large networks to whitelist contiguous blocks of IPv4 and/or IPv6
addresses as trusted X-Forwarded-For providers.
This change also makes a small change to
WebRequestTest::testGetIpLackOfRemoteAddrThrowAnException() which was
failing under some configurations due to non-default globals
configuration.
Bug: 52829
Change-Id: I49e34bdf13e8e8c6cd169c362c283fe1034bdc6d
(cherry picked from commit f111b2687c894bd744f53edff4ae049ddb48c59a)
---
M RELEASE-NOTES-1.23
M includes/DefaultSettings.php
M includes/ProxyTools.php
M tests/phpunit/includes/WebRequestTest.php
4 files changed, 49 insertions(+), 3 deletions(-)
Approvals:
Reedy: Looks good to me, approved
jenkins-bot: Verified
diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 6c78253..736869f 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -9,6 +9,9 @@
production.
=== Configuration changes in 1.23 ===
+* $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
+ Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
+ addresses that should be trusted to provide X-Forwarded-For headers.
=== New features in 1.23 ===
* ResourceLoader can utilize the Web Storage API to cache modules client-side.
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index f466f35..cb679ab 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2285,7 +2285,8 @@
/**
* As above, except these servers aren't purged on page changes; use to set a
- * list of trusted proxies, etc.
+ * list of trusted proxies, etc. Supports both individual IP addresses and
+ * CIDR blocks.
*/
$wgSquidServersNoPurge = array();
diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php
index bf1c405..4efd347 100644
--- a/includes/ProxyTools.php
+++ b/includes/ProxyTools.php
@@ -80,7 +80,19 @@
*/
function wfIsConfiguredProxy( $ip ) {
global $wgSquidServers, $wgSquidServersNoPurge;
- $trusted = in_array( $ip, $wgSquidServers ) ||
- in_array( $ip, $wgSquidServersNoPurge );
+
+ // quick check of known proxy servers
+ $trusted = in_array( $ip, $wgSquidServers );
+
+ if ( !$trusted ) {
+ // slightly slower check to see if the ip is listed directly or
in a CIDR
+ // block in $wgSquidServersNoPurge
+ foreach ( $wgSquidServersNoPurge as $block ) {
+ if ( IP::isInRange( $ip, $block ) ) {
+ $trusted = true;
+ break;
+ }
+ }
+ }
return $trusted;
}
diff --git a/tests/phpunit/includes/WebRequestTest.php
b/tests/phpunit/includes/WebRequestTest.php
index f8ed14b..06ed1fd 100644
--- a/tests/phpunit/includes/WebRequestTest.php
+++ b/tests/phpunit/includes/WebRequestTest.php
@@ -269,6 +269,28 @@
false,
'With X-Forwaded-For and private IP and hook
(disallowed)'
),
+ array(
+ '12.0.0.1',
+ array(
+ 'REMOTE_ADDR' =>
'abcd:0001:002:03:4:555:6666:7777',
+ 'HTTP_X_FORWARDED_FOR' => '12.0.0.1,
abcd:0001:002:03:4:555:6666:7777',
+ ),
+ array( 'ABCD:1:2:3::/64' ),
+ array(),
+ false,
+ 'IPv6 CIDR'
+ ),
+ array(
+ '12.0.0.3',
+ array(
+ 'REMOTE_ADDR' => '12.0.0.1',
+ 'HTTP_X_FORWARDED_FOR' => '12.0.0.3,
12.0.0.2'
+ ),
+ array( '12.0.0.0/24' ),
+ array(),
+ false,
+ 'IPv4 CIDR'
+ ),
);
}
@@ -277,6 +299,14 @@
* @covers WebRequest::getIP
*/
public function testGetIpLackOfRemoteAddrThrowAnException() {
+ // ensure that local install state doesn't interfere with test
+ $this->setMwGlobals( array(
+ 'wgSquidServersNoPurge' => array(),
+ 'wgSquidServers' => array(),
+ 'wgUsePrivateIPs' => false,
+ 'wgHooks' => array(),
+ ) );
+
$request = new WebRequest();
# Next call throw an exception about lacking an IP
$request->getIP();
--
To view, visit https://gerrit.wikimedia.org/r/94396
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I49e34bdf13e8e8c6cd169c362c283fe1034bdc6d
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: wmf/1.23wmf2
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Greg Grossmeier <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: Reedy <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
