[Xfce4-commits] [www/forum.xfce.org] 15/79: Update bad behaviour plugin to 2.1.7.
noreply at xfce.org
noreply at xfce.org
Tue May 21 14:48:10 CEST 2019
This is an automated email from the git hooks/post-receive script.
s k u n n y k p u s h e d a c o m m i t t o b r a n c h o l d f o r u m
in repository www/forum.xfce.org.
commit a47fa75336802e076e6b74af60fdff016693d9de
Author: Nick Schermer <nick at xfce.org>
Date: Sat Nov 13 11:30:17 2010 +0100
Update bad behaviour plugin to 2.1.7.
---
include/bad-behavior/banned.inc.php | 8 +++++---
include/bad-behavior/blackhole.inc.php | 5 -----
include/bad-behavior/cloudflare.inc.php | 15 +++++++++++++++
include/bad-behavior/common_tests.inc.php | 13 +++++++++----
include/bad-behavior/core.inc.php | 19 +++++++++++++++++--
include/bad-behavior/functions.inc.php | 5 +++++
include/bad-behavior/google.inc.php | 7 ++++++-
include/bad-behavior/msnbot.inc.php | 7 ++++++-
include/bad-behavior/responses.inc.php | 2 ++
include/bad-behavior/roundtripdns.inc.php | 20 ++++++++++++++++++++
include/bad-behavior/version.inc.php | 2 +-
include/whitelist.ini | 26 ++++++++++++++++++++++++++
plugins/AP_Bad_Behavior.php | 1 +
13 files changed, 113 insertions(+), 17 deletions(-)
diff --git a/include/bad-behavior/banned.inc.php b/include/bad-behavior/banned.inc.php
index 85a58f2..2b26cb1 100644
--- a/include/bad-behavior/banned.inc.php
+++ b/include/bad-behavior/banned.inc.php
@@ -5,7 +5,7 @@
require_once(BB2_CORE . "/responses.inc.php");
-function bb2_display_denial($settings, $key, $previous_key = false)
+function bb2_display_denial($settings, $package, $key, $previous_key = false)
{
define('DONOTCACHEPAGE', true); // WP Super Cache
if (!$previous_key) $previous_key = $key;
@@ -13,7 +13,7 @@ function bb2_display_denial($settings, $key, $previous_key = false)
// FIXME: lookup the real key
}
// Create support key
- $ip = explode(".", $_SERVER['REMOTE_ADDR']);
+ $ip = explode(".", $package['ip']);
$ip_hex = "";
foreach ($ip as $octet) {
$ip_hex .= str_pad(dechex($octet), 2, 0, STR_PAD_LEFT);
@@ -24,6 +24,8 @@ function bb2_display_denial($settings, $key, $previous_key = false)
$response = bb2_get_response($previous_key);
header("HTTP/1.1 " . $response['response'] . " Bad Behavior");
header("Status: " . $response['response'] . " Bad Behavior");
+ $request_uri = $_SERVER["REQUEST_URI"];
+ if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--< html xmlns="http://www.w3.org/1999/xhtml">-->
@@ -33,7 +35,7 @@ function bb2_display_denial($settings, $key, $previous_key = false)
<body>
<h1>Error <?php echo $response['response']; ?></h1>
<p>We're sorry, but we could not fulfill your request for
-<?php echo htmlspecialchars($_SERVER['REQUEST_URI']) ?> on this server.</p>
+<?php echo htmlspecialchars($request_uri) ?> on this server.</p>
<p><?php echo $response['explanation']; ?></p>
<p>Your technical support key is: <strong><?php echo $support_key; ?></strong></p>
<p>You can use this key to <a href="http://www.ioerror.us/bb2-support-key?key=<?php echo $support_key; ?>">fix this problem yourself</a>.</p>
diff --git a/include/bad-behavior/blackhole.inc.php b/include/bad-behavior/blackhole.inc.php
index 63829a6..f3bdff9 100644
--- a/include/bad-behavior/blackhole.inc.php
+++ b/include/bad-behavior/blackhole.inc.php
@@ -1,10 +1,5 @@
<?php if (!defined('BB2_CORE')) die('I said no cheating!');
-// Quick and dirty check for an IPv6 address
-function is_ipv6($address) {
- return (strpos($address, ":")) ? TRUE : FALSE;
-}
-
// Look up address on various blackhole lists.
// These should not be used for GET requests under any circumstances!
// FIXME: Note that this code is no longer in use
diff --git a/include/bad-behavior/cloudflare.inc.php b/include/bad-behavior/cloudflare.inc.php
new file mode 100644
index 0000000..4f77f48
--- /dev/null
+++ b/include/bad-behavior/cloudflare.inc.php
@@ -0,0 +1,15 @@
+<?php if (!defined('BB2_CORE')) die('I said no cheating!');
+
+// Analyze requests claiming to be from CloudFlare
+
+require_once(BB2_CORE . "/roundtripdns.inc.php");
+
+function bb2_cloudflare($package)
+{
+ if (!bb2_roundtripdns($package['cloudflare'], "cloudflare.com")) {
+ return '70e45496';
+ }
+ return false;
+}
+
+?>
diff --git a/include/bad-behavior/common_tests.inc.php b/include/bad-behavior/common_tests.inc.php
index e4d88f0..fea693f 100644
--- a/include/bad-behavior/common_tests.inc.php
+++ b/include/bad-behavior/common_tests.inc.php
@@ -4,7 +4,6 @@
function bb2_protocol($settings, $package)
{
- // Is it claiming to be HTTP/1.0? Then it shouldn't do HTTP/1.1 things
// Always run this test; we should never see Expect:
if (array_key_exists('Expect', $package['headers_mixed']) && stripos($package['headers_mixed']['Expect'], "100-continue") !== FALSE) {
return "a0105122";
@@ -54,9 +53,9 @@ function bb2_misc_headers($settings, $package)
// Real user-agents do not start ranges at 0
// NOTE: this blocks the whois.sc bot. No big loss.
// Exceptions: MT (not fixable); LJ (refuses to fix; may be
- // blocked again in the future)
+ // blocked again in the future); Facebook
if ($settings['strict'] && array_key_exists('Range', $package['headers_mixed']) && strpos($package['headers_mixed']['Range'], "=0-") !== FALSE) {
- if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11)) {
+ if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit", 19)) {
return "7ad04a8a";
}
}
@@ -105,6 +104,12 @@ function bb2_misc_headers($settings, $package)
if (preg_match('/\bkeep-alive,\s?keep-alive\b/i', $package['headers_mixed']['Connection'])) {
return "a52f0448";
}
+ // Keep-Alive format in RFC 2068; some bots mangle these headers
+ if (stripos($package['headers_mixed']['Connection'], "Keep-Alive: ") !== FALSE) {
+ return "b0924802";
+ }
+ // Close should not be oddly capitalized
+
}
@@ -113,7 +118,7 @@ function bb2_misc_headers($settings, $package)
return "b9cc1d86";
}
// Proxy-Connection does not exist and should never be seen in the wild
- if (array_key_exists('Proxy-Connection', $package['headers_mixed'])) {
+ if ($settings['strict'] && array_key_exists('Proxy-Connection', $package['headers_mixed'])) {
return "b7830251";
}
diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php
index 0b09fb5..a9d2bbf 100644
--- a/include/bad-behavior/core.inc.php
+++ b/include/bad-behavior/core.inc.php
@@ -16,7 +16,7 @@ function bb2_banned($settings, $package, $key, $previous_key=false)
sleep(2);
require_once(BB2_CORE . "/banned.inc.php");
- bb2_display_denial($settings, $key, $previous_key);
+ bb2_display_denial($settings, $package, $key, $previous_key);
bb2_log_denial($settings, $package, $key, $previous_key);
if (is_callable('bb2_banned_callback')) {
bb2_banned_callback($settings, $package, $key);
@@ -64,7 +64,14 @@ function bb2_start($settings)
}
}
- @$package = array('ip' => $_SERVER['REMOTE_ADDR'], 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $_SERVER['REQUEST_URI'], 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false);
+ $request_uri = $_SERVER["REQUEST_URI"];
+ if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS
+
+ # Nasty CloudFlare hack provided by butchs at simplemachines
+ $ip_temp = preg_replace("/^::ffff:/", "", (array_key_exists('Cf-Connecting-Ip', $headers_mixed)) ? $_SERVER['HTTP_CF_CONNECTING_IP'] : $_SERVER['REMOTE_ADDR']);
+ $cloudflare_ip = preg_replace("/^::ffff:/", "", $_SERVER['REMOTE_ADDR']);
+
+ @$package = array('ip' => $ip_temp, 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $request_uri, 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false, 'cloudflare' => $cloudflare_ip);
$result = bb2_screen($settings, $package);
if ($result && !defined('BB2_TEST')) bb2_banned($settings, $package, $result);
@@ -76,6 +83,14 @@ function bb2_screen($settings, $package)
// Please proceed to the security checkpoint and have your
// identification and boarding pass ready.
+ // Check for CloudFlare CDN since IP to be screened may be different
+ // Thanks to butchs at Simple Machines
+ if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) {
+ require_once(BB2_CORE . "/cloudflare.inc.php");
+ $r = bb2_cloudflare($package);
+ if ($r !== false && $r != $package['ip']) return $r;
+ }
+
// First check the whitelist
require_once(BB2_CORE . "/whitelist.inc.php");
if (!bb2_whitelist($package)) {
diff --git a/include/bad-behavior/functions.inc.php b/include/bad-behavior/functions.inc.php
index 22e8882..1c27cb1 100644
--- a/include/bad-behavior/functions.inc.php
+++ b/include/bad-behavior/functions.inc.php
@@ -2,6 +2,11 @@
// Miscellaneous helper functions.
+// Quick and dirty check for an IPv6 address
+function is_ipv6($address) {
+ return (strpos($address, ":")) ? TRUE : FALSE;
+}
+
// stripos() needed because stripos is only present on PHP 5
if (!function_exists('stripos')) {
function stripos($haystack,$needle,$offset = 0) {
diff --git a/include/bad-behavior/google.inc.php b/include/bad-behavior/google.inc.php
index 956bdb4..61d424d 100644
--- a/include/bad-behavior/google.inc.php
+++ b/include/bad-behavior/google.inc.php
@@ -2,9 +2,14 @@
// Analyze user agents claiming to be Googlebot
+require_once(BB2_CORE . "/roundtripdns.inc.php");
+
function bb2_google($package)
{
- if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) {
+# if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) {
+# return "f1182195";
+# }
+ if (!bb2_roundtripdns($package['ip'], "googlebot.com")) {
return "f1182195";
}
return false;
diff --git a/include/bad-behavior/msnbot.inc.php b/include/bad-behavior/msnbot.inc.php
index 0341da1..f647082 100644
--- a/include/bad-behavior/msnbot.inc.php
+++ b/include/bad-behavior/msnbot.inc.php
@@ -2,9 +2,14 @@
// Analyze user agents claiming to be msnbot
+require_once(BB2_CORE . "/roundtripdns.inc.php");
+
function bb2_msnbot($package)
{
- if (match_cidr($package['ip'], "207.46.0.0/16") === FALSE && match_cidr($package['ip'], "65.52.0.0/14") === FALSE && match_cidr($package['ip'], "207.68.128.0/18") === FALSE && match_cidr($package['ip'], "207.68.192.0/20") === FALSE && match_cidr($package['ip'], "64.4.0.0/18") === FALSE) {
+# if (match_cidr($package['ip'], "207.46.0.0/16") === FALSE && match_cidr($package['ip'], "65.52.0.0/14") === FALSE && match_cidr($package['ip'], "207.68.128.0/18") === FALSE && match_cidr($package['ip'], "207.68.192.0/20") === FALSE && match_cidr($package['ip'], "64.4.0.0/18") === FALSE) {
+# return "e4de0453";
+# }
+ if (!bb2_roundtripdns($package['ip'], "msn.com")) {
return "e4de0453";
}
return false;
diff --git a/include/bad-behavior/responses.inc.php b/include/bad-behavior/responses.inc.php
index 89c995c..bc1ff9c 100644
--- a/include/bad-behavior/responses.inc.php
+++ b/include/bad-behavior/responses.inc.php
@@ -19,6 +19,7 @@ function bb2_get_response($key) {
'582ec5e4' => array('response' => 400, 'explanation' => 'An invalid request was received. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. This may also be caused by a bug in the Opera web browser.', 'log' => '"Header \'TE\' present but TE not specified in \'Connection\' header'),
'69920ee5' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' present but blank'),
'6c502ff1' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Bot not fully compliant with RFC 2965'),
+ '70e45496' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User agent claimed to be CloudFlare, claim appears false'),
'799165c2' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Rotating user-agents detected'),
'7a06532b' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept-Encoding\' missing'),
'7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'),
@@ -28,6 +29,7 @@ function bb2_get_response($key) {
'a0105122' => array('response' => 417, 'explanation' => 'Expectation failed. Please retry your request.', 'log' => 'Header \'Expect\' prohibited; resend without Expect'),
'a1084bad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent claimed to be MSIE, with invalid Windows version'),
'a52f0448' => array('response' => 400, 'explanation' => 'An invalid request was received. This may be caused by a malfunctioning proxy server or browser privacy software. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator.', 'log' => 'Header \'Connection\' contains invalid values'),
+ 'b0924802' => array('response' => 400, 'explanation' => 'An invalid request was received. This may be caused by malicious software on your computer.', 'log' => 'Incorrect form of HTTP/1.0 Keep-Alive'),
'b40c8ddc' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, close your browser, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'POST more than two days after GET'),
'b7830251' => array('response' => 400, 'explanation' => 'Your proxy server sent an invalid request. Please contact the proxy server administrator to have this problem fixed.', 'log' => 'Prohibited header \'Proxy-Connection\' present'),
'b9cc1d86' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'),
diff --git a/include/bad-behavior/roundtripdns.inc.php b/include/bad-behavior/roundtripdns.inc.php
new file mode 100644
index 0000000..0c993ec
--- /dev/null
+++ b/include/bad-behavior/roundtripdns.inc.php
@@ -0,0 +1,20 @@
+<?php if (!defined('BB2_CORE')) die("I said no cheating!");
+
+# Round trip DNS verification
+
+# Returns TRUE if DNS matches; FALSE on mismatch
+# Returns $ip if an error occurs
+# TODO: Not IPv6 safe
+# FIXME: Returns false on DNS server failure; PHP provides no distinction
+# between no records and error condition
+function bb2_roundtripdns($ip,$domain)
+{
+ if (@is_ipv6($ip)) return $ip;
+
+ $host = gethostbyaddr($ip);
+ $host_result = strpos(strrev($host), strrev($domain));
+ if ($host_result === false || $host_result > 0) return false;
+ $addrs = gethostbynamel($host);
+ if (in_array($ip, $addrs)) return true;
+ return false;
+}
diff --git a/include/bad-behavior/version.inc.php b/include/bad-behavior/version.inc.php
index f615eae..9b7cde8 100644
--- a/include/bad-behavior/version.inc.php
+++ b/include/bad-behavior/version.inc.php
@@ -1,3 +1,3 @@
<?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.1.2");
+define('BB2_VERSION', "2.1.7");
?>
diff --git a/include/whitelist.ini b/include/whitelist.ini
new file mode 100644
index 0000000..83d248c
--- /dev/null
+++ b/include/whitelist.ini
@@ -0,0 +1,26 @@
+; Inappropriate whitelisting WILL expose you to spam, or cause Bad Behavior
+; to stop functioning entirely! DO NOT WHITELIST unless you are 100% CERTAIN
+; that you should.
+
+; IP address ranges use the CIDR format.
+
+[ip]
+; Digg whitelisted as of 2.0.12
+ip[] = "64.191.203.34"
+ip[] = "208.67.217.130"
+; RFC 1918 addresses
+ip[] = "10.0.0.0/8"
+ip[] = "172.16.0.0/12"
+ip[] = "192.168.0.0/16"
+
+; User agents are matched by exact match only.
+
+[useragent]
+useragent[] = "Mozilla/4.0 (It's me, let me in)"
+
+; URLs are matched from the first / after the server name up to, but not
+; including, the ? (if any). The URL to be whitelisted is a URL on YOUR site.
+
+[url]
+url[] = "/example.php"
+url[] = "/openid/server"
diff --git a/plugins/AP_Bad_Behavior.php b/plugins/AP_Bad_Behavior.php
index 188807c..3c0b41d 100644
--- a/plugins/AP_Bad_Behavior.php
+++ b/plugins/AP_Bad_Behavior.php
@@ -63,6 +63,7 @@ else
<div class="box">
<div class="inbox">
<p><?php echo bb2_insert_stats(true) ?></p>
+ <p>Powered by <a href="http://www.bad-behavior.ioerror.us/">Bad Behavior</a> version <?php echo BB2_VERSION ?></p>
</div>
</div>
<h2 class="block2"><span>Settings</span></h2>
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Xfce4-commits
mailing list