[Xfce4-commits] <forum:master> Update bad-behaviour.

Nick Schermer noreply at xfce.org
Sat Mar 10 14:20:01 CET 2012 

Updating branch refs/heads/master
         to 0344070ff3dc8c198cb2b54fcb2743a2ff793b5b (commit)
       from ce720bfa9b9139a22a0facc0687207188f0bc5d1 (commit)

commit 0344070ff3dc8c198cb2b54fcb2743a2ff793b5b
Author: Nick Schermer <nick at xfce.org>
Date:   Sat Mar 10 14:18:17 2012 +0100

    Update bad-behaviour.

 include/bad-behavior-mysql.php         |    1 +
 include/bad-behavior/core.inc.php      |   33 ++++++++++++++++++++-----------
 include/bad-behavior/functions.inc.php |    4 +++
 3 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/include/bad-behavior-mysql.php b/include/bad-behavior-mysql.php
index 936ecf5..6b88bf6 100644
--- a/include/bad-behavior-mysql.php
+++ b/include/bad-behavior-mysql.php
@@ -24,6 +24,7 @@ function bb2_table_structure($name)
 // Insert a new record
 function bb2_insert($settings, $package, $key)
 {
+	if (!$settings['logging']) return "";
 	$ip = bb2_db_escape($package['ip']);
 	$date = bb2_db_date();
 	$request_method = bb2_db_escape($package['request_method']);
diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php
index 915b866..6437537 100644
--- a/include/bad-behavior/core.inc.php
+++ b/include/bad-behavior/core.inc.php
@@ -1,5 +1,5 @@
 <?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.1.15");
+define('BB2_VERSION', "2.2.2");
 
 // Bad Behavior entry point is bb2_start()
 // If you're reading this, you are probably lost.
@@ -40,18 +40,32 @@ function bb2_approved($settings, $package)
 	}
 }
 
-// If this is reverse-proxied or load balanced, obtain the actual client IP
+# If this is reverse-proxied or load balanced, obtain the actual client IP
 function bb2_reverse_proxy($settings, $headers_mixed)
 {
-	$addrs = array_reverse(preg_split("/[\s,]+/", $headers_mixed[$settings['reverse_proxy_header']]));
+	# Detect if option is on when it should be off
+	$header = uc_all($settings['reverse_proxy_header']);
+	if (!array_key_exists($header, $headers_mixed)) {
+		return false;
+	}
+	
+	$addrs = @array_reverse(preg_split("/[\s,]+/", $headers_mixed[$header]));
+	# Skip our known reverse proxies and private addresses
 	if (!empty($settings['reverse_proxy_addresses'])) {
 		foreach ($addrs as $addr) {
-			if (!match_cidr($addr, $settings['reverse_proxy_addresses'])) {
+			if (!match_cidr($addr, $settings['reverse_proxy_addresses']) && !is_rfc1918($addr)) {
+				return $addr;
+			}
+		}
+	} else {
+		foreach ($addrs as $addr) {
+			if (!is_rfc1918($addr)) {
 				return $addr;
 			}
 		}
 	}
-	return $addrs[0];
+	# If we got here, someone is playing a trick on us.
+	return false;
 }
 
 // Let God sort 'em out!
@@ -80,10 +94,9 @@ function bb2_start($settings)
 	$request_uri = $_SERVER["REQUEST_URI"];
 	if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME'];	# IIS
 
-	if ($settings['reverse_proxy']) {
+	if ($settings['reverse_proxy'] && $ip = bb2_reverse_proxy($settings, $headers_mixed)) {
 		$headers['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
 		$headers_mixed['X-Bad-Behavior-Remote-Address'] = $_SERVER['REMOTE_ADDR'];
-		$ip = bb2_reverse_proxy($settings, $headers_mixed);
 	} else {
 		$ip = $_SERVER['REMOTE_ADDR'];
 	}
@@ -100,16 +113,12 @@ function bb2_screen($settings, $package)
 	// Please proceed to the security checkpoint, have your identification
 	// and boarding pass ready, and prepare to be nakedized or fondled.
 
-	// Check for CloudFlare CDN since IP to be screened may be different
+	// CloudFlare-specific checks not handled by reverse proxy code
 	// Thanks to butchs at Simple Machines
 	if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) {
 		require_once(BB2_CORE . "/cloudflare.inc.php");
 		$r = bb2_cloudflare($package);
 		if ($r !== false && $r != $package['ip']) return $r;
-		# FIXME: For Cloudflare we are bypassing all checks for now
-		# See cloudflare.inc.php for more detail
-		bb2_approved($settings, $package);
-		return false;
 	}
 
 	// First check the whitelist
diff --git a/include/bad-behavior/functions.inc.php b/include/bad-behavior/functions.inc.php
index 9833805..45d3645 100644
--- a/include/bad-behavior/functions.inc.php
+++ b/include/bad-behavior/functions.inc.php
@@ -58,6 +58,10 @@ function match_cidr($addr, $cidr) {
 	return $output;
 }
 
+// Determine if an IP address is reserved by RFC 1918.
+function is_rfc1918($addr) {
+	return match_cidr($addr, array("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"));
+}
 // Obtain all the HTTP headers.
 // NB: on PHP-CGI we have to fake it out a bit, since we can't get the REAL
 // headers. Run PHP as Apache 2.0 module if possible for best results.

More information about the Xfce4-commits mailing list