implement a protection against transparent proxies

This commit is contained in:
czaks 2015-03-24 05:19:25 +01:00
parent 9fa320838b
commit 10f93d0d43
3 changed files with 34 additions and 13 deletions

View File

@ -290,6 +290,12 @@
// Ability to lock a board for normal users and still allow mods to post. Could also be useful for making an archive board
$config['board_locked'] = false;
// If poster's proxy supplies X-Forwarded-For header, check if poster's real IP is banned.
$config['proxy_check'] = false;
// If poster's proxy supplies X-Forwarded-For header, save it for further inspection and/or filtering.
$config['proxy_save'] = false;
/*
* Custom filters detect certain posts and reject/ban accordingly. They are made up of a condition and an
* action (for when ALL conditions are met). As every single post has to be put through each filter,

View File

@ -810,6 +810,15 @@ function checkBan($board = false) {
if (event('check-ban', $board))
return true;
$ips = array();
$ips[] = $_SERVER['REMOTE_ADDR'];
if ($config['proxy_check'] && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = array_merge($ips, explode(", ", $_SERVER['HTTP_X_FORWARDED_FOR']));
}
foreach ($ips as $ip) {
$bans = Bans::find($_SERVER['REMOTE_ADDR'], $board, $config['show_modname']);
foreach ($bans as &$ban) {
@ -832,6 +841,7 @@ function checkBan($board = false) {
}
}
}
}
// I'm not sure where else to put this. It doesn't really matter where; it just needs to be called every
// now and then to keep the ban list tidy.

View File

@ -531,6 +531,11 @@ if (isset($_POST['delete'])) {
"\n<tinyboard flag alt>" . $flag_alt . "</tinyboard>";
}
if ($config['proxy_save'] && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$proxy = preg_replace("/[^0-9a-fA-F.,: ]/", '', $_SERVER['HTTP_X_FORWARDED_FOR']);
$post['body'] .= "\n<tinyboard proxy>".$proxy."</tinyboard>";
}
if (mysql_version() >= 50503) {
$post['body_nomarkup'] = $post['body']; // Assume we're using the utf8mb4 charset
} else {