From 75093f6d8f7d2824404ff50406ff9c2a82641df1 Mon Sep 17 00:00:00 2001 From: Sarjuuk Date: Tue, 23 Sep 2014 22:30:11 +0200 Subject: [PATCH] - check different request-header to determine the users IP - block access if it cant be reliably deetermined - increase field size in db to accomodate IPv6 --- includes/ajaxHandler.class.php | 11 +++++---- includes/user.class.php | 44 ++++++++++++++++++++++++++++------ setup/updates/12_account.sql | 11 +++++++++ 3 files changed, 55 insertions(+), 11 deletions(-) create mode 100644 setup/updates/12_account.sql diff --git a/includes/ajaxHandler.class.php b/includes/ajaxHandler.class.php index 9299527d..292e00fa 100644 --- a/includes/ajaxHandler.class.php +++ b/includes/ajaxHandler.class.php @@ -241,16 +241,19 @@ class AjaxHandler if (mb_strlen($desc) > 500) return 2; + if (!User::$id && !User::$ip) + return 'your ip could not be determined'; + // check already reported $field = User::$id ? 'userId' : 'ip'; - if (DB::Aowow()->selectCell('SELECT 1 FROM ?_reports WHERE `mode` = ?d AND `reason`= ?d AND `subject` = ?d AND ?# = ?', $mode, $rsn, $subj, $field, User::$id ? User::$id : $_SERVER['REMOTE_ADDR'])) + if (DB::Aowow()->selectCell('SELECT 1 FROM ?_reports WHERE `mode` = ?d AND `reason`= ?d AND `subject` = ?d AND ?# = ?', $mode, $rsn, $subj, $field, User::$id ?: User::$ip)) return 7; $update = array( 'userId' => User::$id, 'mode' => $mode, 'reason' => $rsn, - 'ip' => $_SERVER['REMOTE_ADDR'], + 'ip' => User::$ip, 'description' => $desc, 'userAgent' => $ua, 'appName' => $app, @@ -474,7 +477,7 @@ class AjaxHandler 'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 17, ?d, ?, "", ?, ?)', User::$id, $this->post['id'], - $_SERVER['REMOTE_ADDR'], + User::$ip, $_SERVER['HTTP_USER_AGENT'], get_browser(null, true)['browser'] ); @@ -551,7 +554,7 @@ class AjaxHandler 'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 19, ?d, ?, "", ?, ?)', User::$id, $this->post['id'], - $_SERVER['REMOTE_ADDR'], + User::$ip, $_SERVER['HTTP_USER_AGENT'], get_browser(null, true)['browser'] ); diff --git a/includes/user.class.php b/includes/user.class.php index 18b95262..ac670133 100644 --- a/includes/user.class.php +++ b/includes/user.class.php @@ -15,6 +15,7 @@ class User public static $localeString = 'enus'; public static $avatar = 'inv_misc_questionmark'; public static $dailyVotes = 0; + public static $ip = null; private static $reputation = 0; private static $dataKey = ''; @@ -23,6 +24,7 @@ class User public static function init() { + self::setIP(); self::setLocale(); // session have a dataKey to access the JScripts (yes, also the anons) @@ -31,13 +33,16 @@ class User self::$dataKey = $_SESSION['dataKey']; + if (!self::$ip) + return false; + // check IP bans - if ($ipBan = DB::Aowow()->selectRow('SELECT count, unbanDate FROM ?_account_bannedips WHERE ip = ? AND type = 0', $_SERVER['REMOTE_ADDR'])) + if ($ipBan = DB::Aowow()->selectRow('SELECT count, unbanDate FROM ?_account_bannedips WHERE ip = ? AND type = 0', self::$ip)) { if ($ipBan['count'] > CFG_FAILED_AUTH_COUNT && $ipBan['unbanDate'] > time()) return false; else if ($ipBan['unbanDate'] <= time()) - DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE ip = ?', $_SERVER['REMOTE_ADDR']); + DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE ip = ?', self::$ip); } // try to restore session @@ -101,7 +106,7 @@ class User SET dailyVotes = ?d, prevLogin = curLogin, curLogin = UNIX_TIMESTAMP(), prevIP = curIP, curIP = ? WHERE id = ?d', self::$dailyVotes, - $_SERVER['REMOTE_ADDR'], + self::$ip, self::$id ); @@ -121,6 +126,28 @@ class User return true; } + private static function setIP() + { + $ipAddr = ''; + $method = ['HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR']; + + foreach ($method as $m) + { + if ($ipAddr = getenv($m)) + { + // check IPv4 + if ($ipAddr = filter_var($ipAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) + break; + + // check IPv6 + if ($ipAddr = filter_var($ipAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) + break; + } + } + + self::$ip = $ipAddr ?: null; + } + /****************/ /* set language */ /****************/ @@ -186,12 +213,15 @@ class User { case AUTH_MODE_SELF: { + if (!self::$ip) + return AUTH_INTERNAL_ERR; + // handle login try limitation - $ip = DB::Aowow()->selectRow('SELECT ip, count, unbanDate FROM ?_account_bannedips WHERE type = 0 AND ip = ?', $_SERVER['REMOTE_ADDR']); + $ip = DB::Aowow()->selectRow('SELECT ip, count, unbanDate FROM ?_account_bannedips WHERE type = 0 AND ip = ?', self::$ip); if (!$ip || $ip['unbanDate'] < time()) // no entry exists or time expired; set count to 1 - DB::Aowow()->query('REPLACE INTO ?_account_bannedips (ip, type, count, unbanDate) VALUES (?, 0, 1, UNIX_TIMESTAMP() + ?d)', $_SERVER['REMOTE_ADDR'], CFG_FAILED_AUTH_EXCLUSION); + DB::Aowow()->query('REPLACE INTO ?_account_bannedips (ip, type, count, unbanDate) VALUES (?, 0, 1, UNIX_TIMESTAMP() + ?d)', self::$ip, CFG_FAILED_AUTH_EXCLUSION); else // entry already exists; increment count - DB::Aowow()->query('UPDATE ?_account_bannedips SET count = count + 1, unbanDate = UNIX_TIMESTAMP() + ?d WHERE ip = ?', CFG_FAILED_AUTH_EXCLUSION, $_SERVER['REMOTE_ADDR']); + DB::Aowow()->query('UPDATE ?_account_bannedips SET count = count + 1, unbanDate = UNIX_TIMESTAMP() + ?d WHERE ip = ?', CFG_FAILED_AUTH_EXCLUSION, self::$ip); if ($ip && $ip['count'] >= CFG_FAILED_AUTH_COUNT && $ip['unbanDate'] >= time()) return AUTH_IPBANNED; @@ -215,7 +245,7 @@ class User return AUTH_ACC_INACTIVE; // successfull auth; clear bans for this IP - DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE type = 0 AND ip = ?', $_SERVER['REMOTE_ADDR']); + DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE type = 0 AND ip = ?', self::$ip); if ($query['bans'] & (ACC_BAN_PERM | ACC_BAN_TEMP)) return AUTH_BANNED; diff --git a/setup/updates/12_account.sql b/setup/updates/12_account.sql new file mode 100644 index 00000000..13444c0a --- /dev/null +++ b/setup/updates/12_account.sql @@ -0,0 +1,11 @@ +ALTER TABLE `aowow_account` + ALTER `curIP` DROP DEFAULT, + ALTER `prevIP` DROP DEFAULT; +ALTER TABLE `aowow_account` + CHANGE COLUMN `curIP` `curIP` VARCHAR(45) NOT NULL AFTER `consecutiveVisits`, + CHANGE COLUMN `prevIP` `prevIP` VARCHAR(45) NOT NULL AFTER `curIP`; + +ALTER TABLE `aowow_account_bannedips` + ALTER `ip` DROP DEFAULT; +ALTER TABLE `aowow_account_bannedips` + CHANGE COLUMN `ip` `ip` VARCHAR(45) NOT NULL FIRST;