This is an automated email from the git hooks/post-receive script. s k u n n y k p u s h e d a c o m m i t t o b r a n c h o l d f o r u m in repository www/forum.xfce.org.
commit 0344070ff3dc8c198cb2b54fcb2743a2ff793b5b Author: Nick Schermer <n...@xfce.org> Date: Sat Mar 10 14:18:17 2012 +0100 Update bad-behaviour. --- include/bad-behavior-mysql.php | 1 + include/bad-behavior/core.inc.php | 33 +++++++++++++++++++++------------ include/bad-behavior/functions.inc.php | 4 ++++ 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/include/bad-behavior-mysql.php b/include/bad-behavior-mysql.php index 936ecf5..6b88bf6 100644 --- a/include/bad-behavior-mysql.php +++ b/include/bad-behavior-mysql.php @@ -24,6 +24,7 @@ function bb2_table_structure($name) // Insert a new record function bb2_insert($settings, $package, $key) { + if (!$settings['logging']) return ""; $ip = bb2_db_escape($package['ip']); $date = bb2_db_date(); $request_method = bb2_db_escape($package['request_method']); diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php index 915b866..6437537 100644 --- a/include/bad-behavior/core.inc.php +++ b/include/bad-behavior/core.inc.php @@ -1,5 +1,5 @@ <?php if (!defined('BB2_CWD')) die("I said no cheating!"); -define('BB2_VERSION', "2.1.15"); +define('BB2_VERSION', "2.2.2"); // Bad Behavior entry point is bb2_start() // If you're reading this, you are probably lost. @@ -40,18 +40,32 @@ function bb2_approved($settings, $package) } } -// If this is reverse-proxied or load balanced, obtain the actual client IP +# If this is reverse-proxied or load balanced, obtain the actual client IP function bb2_reverse_proxy($settings, $headers_mixed) { - $addrs = array_reverse(preg_split("/[\s,]+/", $headers_mixed[$settings['reverse_proxy_header']])); + # Detect if option is on when it should be off + $header = uc_all($settings['reverse_proxy_header']); + if (!array_key_exists($header, $headers_mixed)) { + return false; + } + + $addrs = @array_reverse(preg_split("/[\s,]+/", $headers_mixed[$header])); + # Skip our known reverse proxies and private addresses if (!empty($settings['reverse_proxy_addresses'])) { foreach ($addrs as $addr) { - if (!match_cidr($addr, $settings['reverse_proxy_addresses'])) { + if (!match_cidr($addr, $settings['reverse_proxy_addresses']) && !is_rfc1918($addr)) { + return $addr; + } + } + } else { + foreach ($addrs as $addr) { + if (!is_rfc1918($addr)) { return $addr; } } } - return $addrs[0]; + # If we got here, someone is playing a trick on us. + return false; } // Let God sort 'em out! @@ -80,10 +94,9 @@ function bb2_start($settings) $request_uri = $_SERVER["REQUEST_URI"]; if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS - if ($settings['reverse_proxy']) { + if ($settings['reverse_proxy'] && $ip = bb2_reverse_proxy($settings, $headers_mixed)) { $headers['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR']; $headers_mixed['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR']; - $ip = bb2_reverse_proxy($settings, $headers_mixed); } else { $ip = $_SERVER['REMOTE_ADDR']; } @@ -100,16 +113,12 @@ function bb2_screen($settings, $package) // Please proceed to the security checkpoint, have your identification // and boarding pass ready, and prepare to be nakedized or fondled. - // Check for CloudFlare CDN since IP to be screened may be different + // CloudFlare-specific checks not handled by reverse proxy code // Thanks to butchs at Simple Machines if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) { require_once(BB2_CORE . "/cloudflare.inc.php"); $r = bb2_cloudflare($package); if ($r !== false && $r != $package['ip']) return $r; - # FIXME: For Cloudflare we are bypassing all checks for now - # See cloudflare.inc.php for more detail - bb2_approved($settings, $package); - return false; } // First check the whitelist diff --git a/include/bad-behavior/functions.inc.php b/include/bad-behavior/functions.inc.php index 9833805..45d3645 100644 --- a/include/bad-behavior/functions.inc.php +++ b/include/bad-behavior/functions.inc.php @@ -58,6 +58,10 @@ function match_cidr($addr, $cidr) { return $output; } +// Determine if an IP address is reserved by RFC 1918. +function is_rfc1918($addr) { + return match_cidr($addr, array("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")); +} // Obtain all the HTTP headers. // NB: on PHP-CGI we have to fake it out a bit, since we can't get the REAL // headers. Run PHP as Apache 2.0 module if possible for best results. -- To stop receiving notification emails like this one, please contact the administrator of this repository. _______________________________________________ Xfce4-commits mailing list Xfce4-commits@xfce.org https://mail.xfce.org/mailman/listinfo/xfce4-commits