- check different request-header to determine the users IP

- block access if it cant be reliably deetermined - increase field size in db to accomodate IPv6
2025-11-29 15:58:16 +08:00 · 2014-09-23 22:30:11 +02:00
parent 979eaa1219
commit 75093f6d8f
3 changed files with 55 additions and 11 deletions
--- a/includes/ajaxHandler.class.php
+++ b/includes/ajaxHandler.class.php
@@ -241,16 +241,19 @@ class AjaxHandler
        if (mb_strlen($desc) > 500)
            return 2;

+        if (!User::$id && !User::$ip)
+            return 'your ip could not be determined';
+
        // check already reported
        $field = User::$id ? 'userId' : 'ip';
-        if (DB::Aowow()->selectCell('SELECT 1 FROM ?_reports WHERE `mode` = ?d AND `reason`= ?d AND `subject` = ?d AND ?# = ?', $mode, $rsn, $subj, $field, User::$id ? User::$id : $_SERVER['REMOTE_ADDR']))
+        if (DB::Aowow()->selectCell('SELECT 1 FROM ?_reports WHERE `mode` = ?d AND `reason`= ?d AND `subject` = ?d AND ?# = ?', $mode, $rsn, $subj, $field, User::$id ?: User::$ip))
            return 7;

        $update = array(
            'userId'      => User::$id,
            'mode'        => $mode,
            'reason'      => $rsn,
-            'ip'          => $_SERVER['REMOTE_ADDR'],
+            'ip'          => User::$ip,
            'description' => $desc,
            'userAgent'   => $ua,
            'appName'     => $app,
@@ -474,7 +477,7 @@ class AjaxHandler
                        'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 17, ?d, ?, "<automated comment report>", ?, ?)',
                        User::$id,
                        $this->post['id'],
-                        $_SERVER['REMOTE_ADDR'],
+                        User::$ip,
                        $_SERVER['HTTP_USER_AGENT'],
                        get_browser(null, true)['browser']
                    );
@@ -551,7 +554,7 @@ class AjaxHandler
                    'INSERT INTO ?_reports (userId, mode, reason, subject, ip, description, userAgent, appName) VALUES (?d, 1, 19, ?d, ?, "<automated commentreply report>", ?, ?)',
                    User::$id,
                    $this->post['id'],
-                    $_SERVER['REMOTE_ADDR'],
+                    User::$ip,
                    $_SERVER['HTTP_USER_AGENT'],
                    get_browser(null, true)['browser']
                );
--- a/includes/user.class.php
+++ b/includes/user.class.php
@@ -15,6 +15,7 @@ class User
    public static $localeString = 'enus';
    public static $avatar       = 'inv_misc_questionmark';
    public static $dailyVotes   = 0;
+    public static $ip           = null;

    private static $reputation  = 0;
    private static $dataKey     = '';
@@ -23,6 +24,7 @@ class User

    public static function init()
    {
+        self::setIP();
        self::setLocale();

        // session have a dataKey to access the JScripts (yes, also the anons)
@@ -31,13 +33,16 @@ class User

        self::$dataKey = $_SESSION['dataKey'];

+        if (!self::$ip)
+            return false;
+
        // check IP bans
-        if ($ipBan = DB::Aowow()->selectRow('SELECT count, unbanDate FROM ?_account_bannedips WHERE ip = ? AND type = 0', $_SERVER['REMOTE_ADDR']))
+        if ($ipBan = DB::Aowow()->selectRow('SELECT count, unbanDate FROM ?_account_bannedips WHERE ip = ? AND type = 0', self::$ip))
        {
            if ($ipBan['count'] > CFG_FAILED_AUTH_COUNT && $ipBan['unbanDate'] > time())
                return false;
            else if ($ipBan['unbanDate'] <= time())
-                DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE ip = ?', $_SERVER['REMOTE_ADDR']);
+                DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE ip = ?', self::$ip);
        }

        // try to restore session
@@ -101,7 +106,7 @@ class User
                    SET     dailyVotes = ?d, prevLogin = curLogin, curLogin = UNIX_TIMESTAMP(), prevIP = curIP, curIP = ?
                    WHERE   id = ?d',
                    self::$dailyVotes,
-                    $_SERVER['REMOTE_ADDR'],
+                    self::$ip,
                    self::$id
                );

@@ -121,6 +126,28 @@ class User
        return true;
    }

+    private static function setIP()
+    {
+        $ipAddr = '';
+        $method = ['HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR'];
+
+        foreach ($method as $m)
+        {
+            if ($ipAddr = getenv($m))
+            {
+                // check IPv4
+                if ($ipAddr = filter_var($ipAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))
+                    break;
+
+                // check IPv6
+                if ($ipAddr = filter_var($ipAddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))
+                    break;
+            }
+        }
+
+        self::$ip = $ipAddr ?: null;
+    }
+
    /****************/
    /* set language */
    /****************/
@@ -186,12 +213,15 @@ class User
        {
            case AUTH_MODE_SELF:
            {
+                if (!self::$ip)
+                    return AUTH_INTERNAL_ERR;
+
                // handle login try limitation
-                $ip = DB::Aowow()->selectRow('SELECT ip, count, unbanDate FROM ?_account_bannedips WHERE type = 0 AND ip = ?', $_SERVER['REMOTE_ADDR']);
+                $ip = DB::Aowow()->selectRow('SELECT ip, count, unbanDate FROM ?_account_bannedips WHERE type = 0 AND ip = ?', self::$ip);
                if (!$ip || $ip['unbanDate'] < time())      // no entry exists or time expired; set count to 1
-                    DB::Aowow()->query('REPLACE INTO ?_account_bannedips (ip, type, count, unbanDate) VALUES (?, 0, 1, UNIX_TIMESTAMP() + ?d)', $_SERVER['REMOTE_ADDR'], CFG_FAILED_AUTH_EXCLUSION);
+                    DB::Aowow()->query('REPLACE INTO ?_account_bannedips (ip, type, count, unbanDate) VALUES (?, 0, 1, UNIX_TIMESTAMP() + ?d)', self::$ip, CFG_FAILED_AUTH_EXCLUSION);
                else                                        // entry already exists; increment count
-                    DB::Aowow()->query('UPDATE ?_account_bannedips SET count = count + 1, unbanDate = UNIX_TIMESTAMP() + ?d WHERE ip = ?', CFG_FAILED_AUTH_EXCLUSION, $_SERVER['REMOTE_ADDR']);
+                    DB::Aowow()->query('UPDATE ?_account_bannedips SET count = count + 1, unbanDate = UNIX_TIMESTAMP() + ?d WHERE ip = ?', CFG_FAILED_AUTH_EXCLUSION, self::$ip);

                if ($ip && $ip['count'] >= CFG_FAILED_AUTH_COUNT && $ip['unbanDate'] >= time())
                    return AUTH_IPBANNED;
@@ -215,7 +245,7 @@ class User
                    return AUTH_ACC_INACTIVE;

                // successfull auth; clear bans for this IP
-                DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE type = 0 AND ip = ?', $_SERVER['REMOTE_ADDR']);
+                DB::Aowow()->query('DELETE FROM ?_account_bannedips WHERE type = 0 AND ip = ?', self::$ip);

                if ($query['bans'] & (ACC_BAN_PERM | ACC_BAN_TEMP))
                    return AUTH_BANNED;
--- a/setup/updates/12_account.sql
+++ b/setup/updates/12_account.sql
@@ -0,0 +1,11 @@
+ALTER TABLE `aowow_account`
+	ALTER `curIP` DROP DEFAULT,
+	ALTER `prevIP` DROP DEFAULT;
+ALTER TABLE `aowow_account`
+	CHANGE COLUMN `curIP` `curIP` VARCHAR(45) NOT NULL AFTER `consecutiveVisits`,
+	CHANGE COLUMN `prevIP` `prevIP` VARCHAR(45) NOT NULL AFTER `curIP`;
+
+ALTER TABLE `aowow_account_bannedips`
+    ALTER `ip` DROP DEFAULT;
+ALTER TABLE `aowow_account_bannedips`
+    CHANGE COLUMN `ip` `ip` VARCHAR(45) NOT NULL FIRST;