From 10f93d0d4367ade293c7a8733989cedcd7ca791a Mon Sep 17 00:00:00 2001 From: czaks Date: Tue, 24 Mar 2015 05:19:25 +0100 Subject: [PATCH] implement a protection against transparent proxies --- inc/config.php | 6 ++++++ inc/functions.php | 34 ++++++++++++++++++++++------------ post.php | 7 ++++++- 3 files changed, 34 insertions(+), 13 deletions(-) diff --git a/inc/config.php b/inc/config.php index 42e1c32b..0ba1952b 100644 --- a/inc/config.php +++ b/inc/config.php @@ -290,6 +290,12 @@ // Ability to lock a board for normal users and still allow mods to post. Could also be useful for making an archive board $config['board_locked'] = false; + // If poster's proxy supplies X-Forwarded-For header, check if poster's real IP is banned. + $config['proxy_check'] = false; + + // If poster's proxy supplies X-Forwarded-For header, save it for further inspection and/or filtering. + $config['proxy_save'] = false; + /* * Custom filters detect certain posts and reject/ban accordingly. They are made up of a condition and an * action (for when ALL conditions are met). As every single post has to be put through each filter, diff --git a/inc/functions.php b/inc/functions.php index ca918e0a..0f70d447 100755 --- a/inc/functions.php +++ b/inc/functions.php @@ -810,12 +810,29 @@ function checkBan($board = false) { if (event('check-ban', $board)) return true; - $bans = Bans::find($_SERVER['REMOTE_ADDR'], $board, $config['show_modname']); + $ips = array(); + + $ips[] = $_SERVER['REMOTE_ADDR']; + + if ($config['proxy_check'] && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $ips = array_merge($ips, explode(", ", $_SERVER['HTTP_X_FORWARDED_FOR'])); + } + + foreach ($ips as $ip) { + $bans = Bans::find($_SERVER['REMOTE_ADDR'], $board, $config['show_modname']); - foreach ($bans as &$ban) { - if ($ban['expires'] && $ban['expires'] < time()) { - Bans::delete($ban['id']); - if ($config['require_ban_view'] && !$ban['seen']) { + foreach ($bans as &$ban) { + if ($ban['expires'] && $ban['expires'] < time()) { + Bans::delete($ban['id']); + if ($config['require_ban_view'] && !$ban['seen']) { + if (!isset($_POST['json_response'])) { + displayBan($ban); + } else { + header('Content-Type: text/json'); + die(json_encode(array('error' => true, 'banned' => true))); + } + } + } else { if (!isset($_POST['json_response'])) { displayBan($ban); } else { @@ -823,13 +840,6 @@ function checkBan($board = false) { die(json_encode(array('error' => true, 'banned' => true))); } } - } else { - if (!isset($_POST['json_response'])) { - displayBan($ban); - } else { - header('Content-Type: text/json'); - die(json_encode(array('error' => true, 'banned' => true))); - } } } diff --git a/post.php b/post.php index 87795aa0..100c3efb 100644 --- a/post.php +++ b/post.php @@ -516,7 +516,7 @@ if (isset($_POST['delete'])) { "\n".geoip\geoip_country_name_by_addr_v6($gi, ipv4to6($_SERVER['REMOTE_ADDR'])).""; } } - + if ($config['user_flag'] && isset($_POST['user_flag'])) if (!empty($_POST['user_flag']) ){ @@ -530,6 +530,11 @@ if (isset($_POST['delete'])) { $post['body'] .= "\n" . strtolower($user_flag) . "" . "\n" . $flag_alt . ""; } + + if ($config['proxy_save'] && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $proxy = preg_replace("/[^0-9a-fA-F.,: ]/", '', $_SERVER['HTTP_X_FORWARDED_FOR']); + $post['body'] .= "\n".$proxy.""; + } if (mysql_version() >= 50503) { $post['body_nomarkup'] = $post['body']; // Assume we're using the utf8mb4 charset