[Xfce4-commits] <forum:master> Update bad behaviour plugin to 2.1.7.

Nick Schermer noreply at xfce.org
Sat Nov 13 14:10:01 CET 2010


Updating branch refs/heads/master
         to a47fa75336802e076e6b74af60fdff016693d9de (commit)
       from 23b612869b46563470d0002e7d72a40cf408b215 (commit)

commit a47fa75336802e076e6b74af60fdff016693d9de
Author: Nick Schermer <nick at xfce.org>
Date:   Sat Nov 13 11:30:17 2010 +0100

    Update bad behaviour plugin to 2.1.7.

 include/bad-behavior/banned.inc.php       |    8 +++++---
 include/bad-behavior/blackhole.inc.php    |    5 -----
 include/bad-behavior/cloudflare.inc.php   |   15 +++++++++++++++
 include/bad-behavior/common_tests.inc.php |   13 +++++++++----
 include/bad-behavior/core.inc.php         |   19 +++++++++++++++++--
 include/bad-behavior/functions.inc.php    |    5 +++++
 include/bad-behavior/google.inc.php       |    7 ++++++-
 include/bad-behavior/msnbot.inc.php       |    7 ++++++-
 include/bad-behavior/responses.inc.php    |    2 ++
 include/bad-behavior/roundtripdns.inc.php |   20 ++++++++++++++++++++
 include/bad-behavior/version.inc.php      |    2 +-
 include/whitelist.ini                     |   26 ++++++++++++++++++++++++++
 plugins/AP_Bad_Behavior.php               |    1 +
 13 files changed, 113 insertions(+), 17 deletions(-)

diff --git a/include/bad-behavior/banned.inc.php b/include/bad-behavior/banned.inc.php
index 85a58f2..2b26cb1 100644
--- a/include/bad-behavior/banned.inc.php
+++ b/include/bad-behavior/banned.inc.php
@@ -5,7 +5,7 @@
 
 require_once(BB2_CORE . "/responses.inc.php");
 
-function bb2_display_denial($settings, $key, $previous_key = false)
+function bb2_display_denial($settings, $package, $key, $previous_key = false)
 {
 	define('DONOTCACHEPAGE', true);	// WP Super Cache
 	if (!$previous_key) $previous_key = $key;
@@ -13,7 +13,7 @@ function bb2_display_denial($settings, $key, $previous_key = false)
 		// FIXME: lookup the real key
 	}
 	// Create support key
-	$ip = explode(".", $_SERVER['REMOTE_ADDR']);
+	$ip = explode(".", $package['ip']);
 	$ip_hex = "";
 	foreach ($ip as $octet) {
 		$ip_hex .= str_pad(dechex($octet), 2, 0, STR_PAD_LEFT);
@@ -24,6 +24,8 @@ function bb2_display_denial($settings, $key, $previous_key = false)
 	$response = bb2_get_response($previous_key);
 	header("HTTP/1.1 " . $response['response'] . " Bad Behavior");
 	header("Status: " . $response['response'] . " Bad Behavior");
+	$request_uri = $_SERVER["REQUEST_URI"];
+	if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME'];	# IIS
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <!--< html xmlns="http://www.w3.org/1999/xhtml">-->
@@ -33,7 +35,7 @@ function bb2_display_denial($settings, $key, $previous_key = false)
 <body>
 <h1>Error <?php echo $response['response']; ?></h1>
 <p>We're sorry, but we could not fulfill your request for
-<?php echo htmlspecialchars($_SERVER['REQUEST_URI']) ?> on this server.</p>
+<?php echo htmlspecialchars($request_uri) ?> on this server.</p>
 <p><?php echo $response['explanation']; ?></p>
 <p>Your technical support key is: <strong><?php echo $support_key; ?></strong></p>
 <p>You can use this key to <a href="http://www.ioerror.us/bb2-support-key?key=<?php echo $support_key; ?>">fix this problem yourself</a>.</p>
diff --git a/include/bad-behavior/blackhole.inc.php b/include/bad-behavior/blackhole.inc.php
index 63829a6..f3bdff9 100644
--- a/include/bad-behavior/blackhole.inc.php
+++ b/include/bad-behavior/blackhole.inc.php
@@ -1,10 +1,5 @@
 <?php if (!defined('BB2_CORE')) die('I said no cheating!');
 
-// Quick and dirty check for an IPv6 address
-function is_ipv6($address) {
-	return (strpos($address, ":")) ? TRUE : FALSE;
-}
-
 // Look up address on various blackhole lists.
 // These should not be used for GET requests under any circumstances!
 // FIXME: Note that this code is no longer in use
diff --git a/include/bad-behavior/cloudflare.inc.php b/include/bad-behavior/cloudflare.inc.php
new file mode 100644
index 0000000..4f77f48
--- /dev/null
+++ b/include/bad-behavior/cloudflare.inc.php
@@ -0,0 +1,15 @@
+<?php if (!defined('BB2_CORE')) die('I said no cheating!');
+
+// Analyze requests claiming to be from CloudFlare
+
+require_once(BB2_CORE . "/roundtripdns.inc.php");
+
+function bb2_cloudflare($package)
+{
+	if (!bb2_roundtripdns($package['cloudflare'], "cloudflare.com")) {
+		return '70e45496';
+	}
+	return false;
+}
+
+?>
diff --git a/include/bad-behavior/common_tests.inc.php b/include/bad-behavior/common_tests.inc.php
index e4d88f0..fea693f 100644
--- a/include/bad-behavior/common_tests.inc.php
+++ b/include/bad-behavior/common_tests.inc.php
@@ -4,7 +4,6 @@
 
 function bb2_protocol($settings, $package)
 {
-	// Is it claiming to be HTTP/1.0?  Then it shouldn't do HTTP/1.1 things
 	// Always run this test; we should never see Expect:
 	if (array_key_exists('Expect', $package['headers_mixed']) && stripos($package['headers_mixed']['Expect'], "100-continue") !== FALSE) {
 		return "a0105122";
@@ -54,9 +53,9 @@ function bb2_misc_headers($settings, $package)
 	// Real user-agents do not start ranges at 0
 	// NOTE: this blocks the whois.sc bot. No big loss.
 	// Exceptions: MT (not fixable); LJ (refuses to fix; may be
-	// blocked again in the future)
+	// blocked again in the future); Facebook
 	if ($settings['strict'] && array_key_exists('Range', $package['headers_mixed']) && strpos($package['headers_mixed']['Range'], "=0-") !== FALSE) {
-		if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11)) {
+		if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit", 19)) {
 			return "7ad04a8a";
 		}
 	}
@@ -105,6 +104,12 @@ function bb2_misc_headers($settings, $package)
 		if (preg_match('/\bkeep-alive,\s?keep-alive\b/i', $package['headers_mixed']['Connection'])) {
 			return "a52f0448";
 		}
+		// Keep-Alive format in RFC 2068; some bots mangle these headers
+		if (stripos($package['headers_mixed']['Connection'], "Keep-Alive: ") !== FALSE) {
+			return "b0924802";
+		}
+		// Close should not be oddly capitalized
+		
 	}
 	
 
@@ -113,7 +118,7 @@ function bb2_misc_headers($settings, $package)
 		return "b9cc1d86";
 	}
 	// Proxy-Connection does not exist and should never be seen in the wild
-	if (array_key_exists('Proxy-Connection', $package['headers_mixed'])) {
+	if ($settings['strict'] && array_key_exists('Proxy-Connection', $package['headers_mixed'])) {
 		return "b7830251";
 	}
 
diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php
index 0b09fb5..a9d2bbf 100644
--- a/include/bad-behavior/core.inc.php
+++ b/include/bad-behavior/core.inc.php
@@ -16,7 +16,7 @@ function bb2_banned($settings, $package, $key, $previous_key=false)
 	sleep(2);
 
 	require_once(BB2_CORE . "/banned.inc.php");
-	bb2_display_denial($settings, $key, $previous_key);
+	bb2_display_denial($settings, $package, $key, $previous_key);
 	bb2_log_denial($settings, $package, $key, $previous_key);
 	if (is_callable('bb2_banned_callback')) {
 		bb2_banned_callback($settings, $package, $key);
@@ -64,7 +64,14 @@ function bb2_start($settings)
 		}
 	}
 
-	@$package = array('ip' => $_SERVER['REMOTE_ADDR'], 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $_SERVER['REQUEST_URI'], 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false);
+	$request_uri = $_SERVER["REQUEST_URI"];
+	if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME'];	# IIS
+
+	# Nasty CloudFlare hack provided by butchs at simplemachines
+	$ip_temp = preg_replace("/^::ffff:/", "", (array_key_exists('Cf-Connecting-Ip', $headers_mixed)) ? $_SERVER['HTTP_CF_CONNECTING_IP'] : $_SERVER['REMOTE_ADDR']);
+	$cloudflare_ip = preg_replace("/^::ffff:/", "", $_SERVER['REMOTE_ADDR']);
+
+	@$package = array('ip' => $ip_temp, 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $request_uri, 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false, 'cloudflare' => $cloudflare_ip);
 
 	$result = bb2_screen($settings, $package);
 	if ($result && !defined('BB2_TEST')) bb2_banned($settings, $package, $result);
@@ -76,6 +83,14 @@ function bb2_screen($settings, $package)
 	// Please proceed to the security checkpoint and have your
 	// identification and boarding pass ready.
 
+	// Check for CloudFlare CDN since IP to be screened may be different
+	// Thanks to butchs at Simple Machines
+	if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) {
+		require_once(BB2_CORE . "/cloudflare.inc.php");
+		$r = bb2_cloudflare($package);
+		if ($r !== false && $r != $package['ip']) return $r;
+	}
+
 	// First check the whitelist
 	require_once(BB2_CORE . "/whitelist.inc.php");
 	if (!bb2_whitelist($package)) {
diff --git a/include/bad-behavior/functions.inc.php b/include/bad-behavior/functions.inc.php
index 22e8882..1c27cb1 100644
--- a/include/bad-behavior/functions.inc.php
+++ b/include/bad-behavior/functions.inc.php
@@ -2,6 +2,11 @@
 
 // Miscellaneous helper functions.
 
+// Quick and dirty check for an IPv6 address
+function is_ipv6($address) {
+	return (strpos($address, ":")) ? TRUE : FALSE;
+}
+
 // stripos() needed because stripos is only present on PHP 5
 if (!function_exists('stripos')) {
 	function stripos($haystack,$needle,$offset = 0) {
diff --git a/include/bad-behavior/google.inc.php b/include/bad-behavior/google.inc.php
index 956bdb4..61d424d 100644
--- a/include/bad-behavior/google.inc.php
+++ b/include/bad-behavior/google.inc.php
@@ -2,9 +2,14 @@
 
 // Analyze user agents claiming to be Googlebot
 
+require_once(BB2_CORE . "/roundtripdns.inc.php");
+
 function bb2_google($package)
 {
-	if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) {
+#	if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) {
+#		return "f1182195";
+#	}
+	if (!bb2_roundtripdns($package['ip'], "googlebot.com")) {
 		return "f1182195";
 	}
 	return false;
diff --git a/include/bad-behavior/msnbot.inc.php b/include/bad-behavior/msnbot.inc.php
index 0341da1..f647082 100644
--- a/include/bad-behavior/msnbot.inc.php
+++ b/include/bad-behavior/msnbot.inc.php
@@ -2,9 +2,14 @@
 
 // Analyze user agents claiming to be msnbot
 
+require_once(BB2_CORE . "/roundtripdns.inc.php");
+
 function bb2_msnbot($package)
 {
-	if (match_cidr($package['ip'], "207.46.0.0/16") === FALSE && match_cidr($package['ip'], "65.52.0.0/14") === FALSE && match_cidr($package['ip'], "207.68.128.0/18") === FALSE && match_cidr($package['ip'], "207.68.192.0/20") === FALSE && match_cidr($package['ip'], "64.4.0.0/18") === FALSE) {
+#	if (match_cidr($package['ip'], "207.46.0.0/16") === FALSE && match_cidr($package['ip'], "65.52.0.0/14") === FALSE && match_cidr($package['ip'], "207.68.128.0/18") === FALSE && match_cidr($package['ip'], "207.68.192.0/20") === FALSE && match_cidr($package['ip'], "64.4.0.0/18") === FALSE) {
+#		return "e4de0453";
+#	}
+	if (!bb2_roundtripdns($package['ip'], "msn.com")) {
 		return "e4de0453";
 	}
 	return false;
diff --git a/include/bad-behavior/responses.inc.php b/include/bad-behavior/responses.inc.php
index 89c995c..bc1ff9c 100644
--- a/include/bad-behavior/responses.inc.php
+++ b/include/bad-behavior/responses.inc.php
@@ -19,6 +19,7 @@ function bb2_get_response($key) {
 		'582ec5e4' => array('response' => 400, 'explanation' => 'An invalid request was received. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. This may also be caused by a bug in the Opera web browser.', 'log' => '"Header \'TE\' present but TE not specified in \'Connection\' header'),
 		'69920ee5' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' present but blank'),
 		'6c502ff1' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Bot not fully compliant with RFC 2965'),
+		'70e45496' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User agent claimed to be CloudFlare, claim appears false'),
 		'799165c2' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Rotating user-agents detected'),
 		'7a06532b' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept-Encoding\' missing'),
 		'7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'),
@@ -28,6 +29,7 @@ function bb2_get_response($key) {
 		'a0105122' => array('response' => 417, 'explanation' => 'Expectation failed. Please retry your request.', 'log' => 'Header \'Expect\' prohibited; resend without Expect'),
 		'a1084bad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent claimed to be MSIE, with invalid Windows version'),
 		'a52f0448' => array('response' => 400, 'explanation' => 'An invalid request was received.  This may be caused by a malfunctioning proxy server or browser privacy software. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator.', 'log' => 'Header \'Connection\' contains invalid values'),
+		'b0924802' => array('response' => 400, 'explanation' => 'An invalid request was received. This may be caused by malicious software on your computer.', 'log' => 'Incorrect form of HTTP/1.0 Keep-Alive'),
 		'b40c8ddc' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, close your browser, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'POST more than two days after GET'),
 		'b7830251' => array('response' => 400, 'explanation' => 'Your proxy server sent an invalid request. Please contact the proxy server administrator to have this problem fixed.', 'log' => 'Prohibited header \'Proxy-Connection\' present'),
 		'b9cc1d86' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'),
diff --git a/include/bad-behavior/roundtripdns.inc.php b/include/bad-behavior/roundtripdns.inc.php
new file mode 100644
index 0000000..0c993ec
--- /dev/null
+++ b/include/bad-behavior/roundtripdns.inc.php
@@ -0,0 +1,20 @@
+<?php if (!defined('BB2_CORE')) die("I said no cheating!");
+
+# Round trip DNS verification
+
+# Returns TRUE if DNS matches; FALSE on mismatch
+# Returns $ip if an error occurs
+# TODO: Not IPv6 safe
+# FIXME: Returns false on DNS server failure; PHP provides no distinction
+# between no records and error condition
+function bb2_roundtripdns($ip,$domain)
+{
+	if (@is_ipv6($ip)) return $ip;
+
+	$host = gethostbyaddr($ip);
+	$host_result = strpos(strrev($host), strrev($domain));
+	if ($host_result === false || $host_result > 0) return false;
+	$addrs = gethostbynamel($host);
+	if (in_array($ip, $addrs)) return true;
+	return false;
+}
diff --git a/include/bad-behavior/version.inc.php b/include/bad-behavior/version.inc.php
index f615eae..9b7cde8 100644
--- a/include/bad-behavior/version.inc.php
+++ b/include/bad-behavior/version.inc.php
@@ -1,3 +1,3 @@
 <?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.1.2");
+define('BB2_VERSION', "2.1.7");
 ?>
diff --git a/include/whitelist.ini b/include/whitelist.ini
new file mode 100644
index 0000000..83d248c
--- /dev/null
+++ b/include/whitelist.ini
@@ -0,0 +1,26 @@
+; Inappropriate whitelisting WILL expose you to spam, or cause Bad Behavior
+; to stop functioning entirely! DO NOT WHITELIST unless you are 100% CERTAIN
+; that you should.
+
+; IP address ranges use the CIDR format.
+
+[ip]
+; Digg whitelisted as of 2.0.12
+ip[] = "64.191.203.34"
+ip[] = "208.67.217.130"
+; RFC 1918 addresses
+ip[] = "10.0.0.0/8"
+ip[] = "172.16.0.0/12"
+ip[] = "192.168.0.0/16"
+
+; User agents are matched by exact match only.
+
+[useragent]
+useragent[] = "Mozilla/4.0 (It's me, let me in)"
+
+; URLs are matched from the first / after the server name up to, but not
+; including, the ? (if any). The URL to be whitelisted is a URL on YOUR site.
+
+[url]
+url[] = "/example.php"
+url[] = "/openid/server"
diff --git a/plugins/AP_Bad_Behavior.php b/plugins/AP_Bad_Behavior.php
index 188807c..3c0b41d 100644
--- a/plugins/AP_Bad_Behavior.php
+++ b/plugins/AP_Bad_Behavior.php
@@ -63,6 +63,7 @@ else
 		<div class="box">
 			<div class="inbox">
 				<p><?php echo bb2_insert_stats(true) ?></p>
+				<p>Powered by <a href="http://www.bad-behavior.ioerror.us/">Bad Behavior</a> version <?php echo BB2_VERSION ?></p>
 			</div>
 		</div>
 		<h2 class="block2"><span>Settings</span></h2>



More information about the Xfce4-commits mailing list