This is an automated email from the git hooks/post-receive script.
s���k���u���n���n���y���k��� ���p���u���s���h���e���d��� ���a���
���c���o���m���m���i���t��� ���t���o��� ���b���r���a���n���c���h���
���o���l���d���f���o���r���u���m���
���in repository www/forum.xfce.org.
commit 0344070ff3dc8c198cb2b54fcb2743a2ff793b5b
Author: Nick Schermer <n...@xfce.org>
Date: Sat Mar 10 14:18:17 2012 +0100
Update bad-behaviour.
---
include/bad-behavior-mysql.php | 1 +
include/bad-behavior/core.inc.php | 33 +++++++++++++++++++++------------
include/bad-behavior/functions.inc.php | 4 ++++
3 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/include/bad-behavior-mysql.php b/include/bad-behavior-mysql.php
index 936ecf5..6b88bf6 100644
--- a/include/bad-behavior-mysql.php
+++ b/include/bad-behavior-mysql.php
@@ -24,6 +24,7 @@ function bb2_table_structure($name)
// Insert a new record
function bb2_insert($settings, $package, $key)
{
+ if (!$settings['logging']) return "";
$ip = bb2_db_escape($package['ip']);
$date = bb2_db_date();
$request_method = bb2_db_escape($package['request_method']);
diff --git a/include/bad-behavior/core.inc.php
b/include/bad-behavior/core.inc.php
index 915b866..6437537 100644
--- a/include/bad-behavior/core.inc.php
+++ b/include/bad-behavior/core.inc.php
@@ -1,5 +1,5 @@
<?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.1.15");
+define('BB2_VERSION', "2.2.2");
// Bad Behavior entry point is bb2_start()
// If you're reading this, you are probably lost.
@@ -40,18 +40,32 @@ function bb2_approved($settings, $package)
}
}
-// If this is reverse-proxied or load balanced, obtain the actual client IP
+# If this is reverse-proxied or load balanced, obtain the actual client IP
function bb2_reverse_proxy($settings, $headers_mixed)
{
- $addrs = array_reverse(preg_split("/[\s,]+/",
$headers_mixed[$settings['reverse_proxy_header']]));
+ # Detect if option is on when it should be off
+ $header = uc_all($settings['reverse_proxy_header']);
+ if (!array_key_exists($header, $headers_mixed)) {
+ return false;
+ }
+
+ $addrs = @array_reverse(preg_split("/[\s,]+/",
$headers_mixed[$header]));
+ # Skip our known reverse proxies and private addresses
if (!empty($settings['reverse_proxy_addresses'])) {
foreach ($addrs as $addr) {
- if (!match_cidr($addr,
$settings['reverse_proxy_addresses'])) {
+ if (!match_cidr($addr,
$settings['reverse_proxy_addresses']) && !is_rfc1918($addr)) {
+ return $addr;
+ }
+ }
+ } else {
+ foreach ($addrs as $addr) {
+ if (!is_rfc1918($addr)) {
return $addr;
}
}
}
- return $addrs[0];
+ # If we got here, someone is playing a trick on us.
+ return false;
}
// Let God sort 'em out!
@@ -80,10 +94,9 @@ function bb2_start($settings)
$request_uri = $_SERVER["REQUEST_URI"];
if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
- if ($settings['reverse_proxy']) {
+ if ($settings['reverse_proxy'] && $ip = bb2_reverse_proxy($settings,
$headers_mixed)) {
$headers['X-Bad-Behavior-Remote-Address'] =
$_SERVER['REMOTE_ADDR'];
$headers_mixed['X-Bad-Behavior-Remote-Address'] =
$_SERVER['REMOTE_ADDR'];
- $ip = bb2_reverse_proxy($settings, $headers_mixed);
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
@@ -100,16 +113,12 @@ function bb2_screen($settings, $package)
// Please proceed to the security checkpoint, have your identification
// and boarding pass ready, and prepare to be nakedized or fondled.
- // Check for CloudFlare CDN since IP to be screened may be different
+ // CloudFlare-specific checks not handled by reverse proxy code
// Thanks to butchs at Simple Machines
if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) {
require_once(BB2_CORE . "/cloudflare.inc.php");
$r = bb2_cloudflare($package);
if ($r !== false && $r != $package['ip']) return $r;
- # FIXME: For Cloudflare we are bypassing all checks for now
- # See cloudflare.inc.php for more detail
- bb2_approved($settings, $package);
- return false;
}
// First check the whitelist
diff --git a/include/bad-behavior/functions.inc.php
b/include/bad-behavior/functions.inc.php
index 9833805..45d3645 100644
--- a/include/bad-behavior/functions.inc.php
+++ b/include/bad-behavior/functions.inc.php
@@ -58,6 +58,10 @@ function match_cidr($addr, $cidr) {
return $output;
}
+// Determine if an IP address is reserved by RFC 1918.
+function is_rfc1918($addr) {
+ return match_cidr($addr, array("10.0.0.0/8", "172.16.0.0/12",
"192.168.0.0/16"));
+}
// Obtain all the HTTP headers.
// NB: on PHP-CGI we have to fake it out a bit, since we can't get the REAL
// headers. Run PHP as Apache 2.0 module if possible for best results.
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
Xfce4-commits mailing list
Xfce4-commits@xfce.org
https://mail.xfce.org/mailman/listinfo/xfce4-commits
