yolinlin/aowow
1
0
Fork 0
mirror of https://github.com/Sarjuuk/aowow.git synced 2025-11-29 15:58:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

- check different request-header to determine the users IP

Browse Source 
- block access if it cant be reliably deetermined
- increase field size in db to accomodate IPv6
This commit is contained in:
Sarjuuk
2014-09-23 22:30:11 +02:00
parent 979eaa1219
commit 75093f6d8f
3 changed files with 55 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
includes/ajaxHandler.class.php
View File

@@ -241,16 +241,19 @@ class AjaxHandler
if (mb_strlen($desc) > 500) if (mb_strlen($desc) > 500)
return 2; return 2;
if (!User::$id && !User::$ip)
return 'your ip could not be determined';
// check already reported // check already reported
$field = User::$id ? 'userId' : 'ip'; $field = User::$id ? 'userId' : 'ip';
if (DB::Aowow()->selectCell('SELECT 1 FROM ?_reports WHERE `mode` = ?d AND `reason`= ?d AND `subject` = ?d AND ?# = ?', $mode, $rsn, $subj, $field, User::$id ? User::$id : $_SERVER['REMOTE_ADDR'])) if (DB::Aowow()->selectCell('SELECT 1 FROM ?_reports WHERE `mode` = ?d AND `reason`= ?d AND `subject` = ?d AND ?# = ?', $mode, $rsn, $subj, $field, User::$id ?: User::$ip))
return 7; return 7;
$update = array( $update = array(
'userId' => User::$id, 'userId' => User::$id,
'mode' => $mode, 'mode' => $mode,
'reason' => $rsn, 'reason' => $rsn,
'ip' => $_SERVER['REMOTE_ADDR'], 'ip' => User::$ip,
'description' => $desc, 'description' => $desc,
'userAgent' => $ua, 'userAgent' => $ua,
'appName' => $app, 'appName' => $app,
@@ -474,7 +477,7 @@ class AjaxHandler
'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 17, ?d, ?, "<automated comment report>", ?, ?)', 'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 17, ?d, ?, "<automated comment report>", ?, ?)',
User::$id, User::$id,
$this->post['id'], $this->post['id'],
$_SERVER['REMOTE_ADDR'], User::$ip,
$_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_USER_AGENT'],
get_browser(null, true)['browser'] get_browser(null, true)['browser']
); );
@@ -551,7 +554,7 @@ class AjaxHandler
'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 19, ?d, ?, "<automated commentreply report>", ?, ?)', 'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 19, ?d, ?, "<automated commentreply report>", ?, ?)',
User::$id, User::$id,
$this->post['id'], $this->post['id'],
$_SERVER['REMOTE_ADDR'], User::$ip,
$_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_USER_AGENT'],
get_browser(null, true)['browser'] get_browser(null, true)['browser']
); );

44
includes/user.class.php
View File

@@ -15,6 +15,7 @@ class User
public static $localeString = 'enus'; public static $localeString = 'enus';
public static $avatar = 'inv_misc_questionmark'; public static $avatar = 'inv_misc_questionmark';
public static $dailyVotes = 0; public static $dailyVotes = 0;
public static $ip = null;
private static $reputation = 0; private static $reputation = 0;
private static $dataKey = ''; private static $dataKey = '';
@@ -23,6 +24,7 @@ class User
public static function init() public static function init()
{ {
self::setIP();
self::setLocale(); self::setLocale();
// session have a dataKey to access the JScripts (yes, also the anons) // session have a dataKey to access the JScripts (yes, also the anons)
@@ -31,13 +33,16 @@ class User
self::$dataKey = $_SESSION['dataKey']; self::$dataKey = $_SESSION['dataKey'];
if (!self::$ip)
return false;
// check IP bans // check IP bans
if ($ipBan = DB::Aowow()->selectRow('SELECT count, unbanDate FROM ?_account_bannedips WHERE ip = ? AND type = 0', $_SERVER['REMOTE_ADDR'])) if ($ipBan = DB::Aowow()->selectRow('SELECT count, unbanDate FROM ?_account_bannedips WHERE ip = ? AND type = 0', self::$ip))
{ {
if ($ipBan['count'] > CFG_FAILED_AUTH_COUNT && $ipBan['unbanDate'] > time()) if ($ipBan['count'] > CFG_FAILED_AUTH_COUNT && $ipBan['unbanDate'] > time())
return false; return false;
else if ($ipBan['unbanDate'] <= time()) else if ($ipBan['unbanDate'] <= time())
DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE ip = ?', $_SERVER['REMOTE_ADDR']); DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE ip = ?', self::$ip);
} }
// try to restore session // try to restore session
@@ -101,7 +106,7 @@ class User
SET dailyVotes = ?d, prevLogin = curLogin, curLogin = UNIX_TIMESTAMP(), prevIP = curIP, curIP = ? SET dailyVotes = ?d, prevLogin = curLogin, curLogin = UNIX_TIMESTAMP(), prevIP = curIP, curIP = ?
WHERE id = ?d', WHERE id = ?d',
self::$dailyVotes, self::$dailyVotes,
$_SERVER['REMOTE_ADDR'], self::$ip,
self::$id self::$id
); );
@@ -121,6 +126,28 @@ class User
return true; return true;
} }
private static function setIP()
{
$ipAddr = '';
$method = ['HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR'];
foreach ($method as $m)
{
if ($ipAddr = getenv($m))
{
// check IPv4
if ($ipAddr = filter_var($ipAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))
break;
// check IPv6
if ($ipAddr = filter_var($ipAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))
break;
}
}
self::$ip = $ipAddr ?: null;
}
/****************/ /****************/
/* set language */ /* set language */
/****************/ /****************/
@@ -186,12 +213,15 @@ class User
{ {
case AUTH_MODE_SELF: case AUTH_MODE_SELF:
{ {
if (!self::$ip)
return AUTH_INTERNAL_ERR;
// handle login try limitation // handle login try limitation
$ip = DB::Aowow()->selectRow('SELECT ip, count, unbanDate FROM ?_account_bannedips WHERE type = 0 AND ip = ?', $_SERVER['REMOTE_ADDR']); $ip = DB::Aowow()->selectRow('SELECT ip, count, unbanDate FROM ?_account_bannedips WHERE type = 0 AND ip = ?', self::$ip);
if (!$ip || $ip['unbanDate'] < time()) // no entry exists or time expired; set count to 1 if (!$ip || $ip['unbanDate'] < time()) // no entry exists or time expired; set count to 1
DB::Aowow()->query('REPLACE INTO ?_account_bannedips (ip, type, count, unbanDate) VALUES (?, 0, 1, UNIX_TIMESTAMP() + ?d)', $_SERVER['REMOTE_ADDR'], CFG_FAILED_AUTH_EXCLUSION); DB::Aowow()->query('REPLACE INTO ?_account_bannedips (ip, type, count, unbanDate) VALUES (?, 0, 1, UNIX_TIMESTAMP() + ?d)', self::$ip, CFG_FAILED_AUTH_EXCLUSION);
else // entry already exists; increment count else // entry already exists; increment count
DB::Aowow()->query('UPDATE ?_account_bannedips SET count = count + 1, unbanDate = UNIX_TIMESTAMP() + ?d WHERE ip = ?', CFG_FAILED_AUTH_EXCLUSION, $_SERVER['REMOTE_ADDR']); DB::Aowow()->query('UPDATE ?_account_bannedips SET count = count + 1, unbanDate = UNIX_TIMESTAMP() + ?d WHERE ip = ?', CFG_FAILED_AUTH_EXCLUSION, self::$ip);
if ($ip && $ip['count'] >= CFG_FAILED_AUTH_COUNT && $ip['unbanDate'] >= time()) if ($ip && $ip['count'] >= CFG_FAILED_AUTH_COUNT && $ip['unbanDate'] >= time())
return AUTH_IPBANNED; return AUTH_IPBANNED;
@@ -215,7 +245,7 @@ class User
return AUTH_ACC_INACTIVE; return AUTH_ACC_INACTIVE;
// successfull auth; clear bans for this IP // successfull auth; clear bans for this IP
DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE type = 0 AND ip = ?', $_SERVER['REMOTE_ADDR']); DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE type = 0 AND ip = ?', self::$ip);
if ($query['bans'] & (ACC_BAN_PERM | ACC_BAN_TEMP)) if ($query['bans'] & (ACC_BAN_PERM | ACC_BAN_TEMP))
return AUTH_BANNED; return AUTH_BANNED;

11
setup/updates/12_account.sql Normal file
View File

@@ -0,0 +1,11 @@
ALTER TABLE `aowow_account`
ALTER `curIP` DROP DEFAULT,
ALTER `prevIP` DROP DEFAULT;
ALTER TABLE `aowow_account`
CHANGE COLUMN `curIP` `curIP` VARCHAR(45) NOT NULL AFTER `consecutiveVisits`,
CHANGE COLUMN `prevIP` `prevIP` VARCHAR(45) NOT NULL AFTER `curIP`;
ALTER TABLE `aowow_account_bannedips`
ALTER `ip` DROP DEFAULT;
ALTER TABLE `aowow_account_bannedips`
CHANGE COLUMN `ip` `ip` VARCHAR(45) NOT NULL FIRST;