mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-02 20:57:26 +02:00
Code Issues Releases Wiki Activity

More work on ban handling

Browse Source
This commit is contained in:
e107steved
2011-12-30 10:38:05 +00:00
parent 8b6ac10e55
commit 86030cd8f9
2 changed files with 100 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
e107_admin/banlist.php
View File

@@ -87,12 +87,12 @@ if (isset($_POST['update_ban_prefs'])) // Update ban messages
$i = abs($bt) + 1; // Forces a single-digit positive number for part of field name $i = abs($bt) + 1; // Forces a single-digit positive number for part of field name
$t1 = $tp->toDB(varset($_POST['ban_text_'.($i)],'')); $t1 = $tp->toDB(varset($_POST['ban_text_'.($i)],''));
$t2 = intval(varset($_POST['ban_time_'.($i)],0)); $t2 = intval(varset($_POST['ban_time_'.($i)],0));
if ($pref['ban_messages'][$bt] != $t1) if (!isset($pref['ban_messages'][$bt]) || ($pref['ban_messages'][$bt] != $t1))
{ {
$pref['ban_messages'][$bt] = $t1; $pref['ban_messages'][$bt] = $t1;
$changed = TRUE; $changed = TRUE;
} }
if ($pref['ban_durations'][$bt] != $t2) if (!isset($pref['ban_durations'][$bt]) || ($pref['ban_durations'][$bt] != $t2))
{ {
$pref['ban_durations'][$bt] = $t2; $pref['ban_durations'][$bt] = $t2;
$changed = TRUE; $changed = TRUE;
@@ -1007,7 +1007,7 @@ function parse_date($instr)
function process_csv($filename, $override_imports, $override_expiry, $separator = ',', $quote = '"') function process_csv($filename, $override_imports, $override_expiry, $separator = ',', $quote = '"')
{ {
$sql = e107::getDb(); $sql = e107::getDb();
$pref['ban_durations'] = e107::getPref('ban_durations'); // @todo - check this $pref['ban_durations'] = e107::getPref('ban_durations');
$emessage = &eMessage::getInstance(); $emessage = &eMessage::getInstance();
// echo "Read CSV: {$filename} separator: {$separator}, quote: {$quote} override imports: {$override_imports} override expiry: {$override_expiry}<br />"; // echo "Read CSV: {$filename} separator: {$separator}, quote: {$quote} override imports: {$override_imports} override expiry: {$override_expiry}<br />";

145
e107_handlers/iphandler_class.php
View File

@@ -91,6 +91,7 @@ class eIPHandler
const BAN_FILE_ACTION_NAME = 'banactions'; /// Details of actions for different ban types const BAN_FILE_ACTION_NAME = 'banactions'; /// Details of actions for different ban types
const BAN_FILE_HTACCESS = 'banhtaccess'; /// File in format for direct paste into .htaccess const BAN_FILE_HTACCESS = 'banhtaccess'; /// File in format for direct paste into .htaccess
const BAN_FILE_CSV_NAME = 'banlistcsv'; /// Output file in CSV format const BAN_FILE_CSV_NAME = 'banlistcsv'; /// Output file in CSV format
const BAN_FILE_RETRIGGER_NAME = 'banretrigger'; /// Any bans needing retriggering
const BAN_FILE_EXTENSION = '.php'; /// File extension to use const BAN_FILE_EXTENSION = '.php'; /// File extension to use
/** /**
@@ -129,6 +130,11 @@ class eIPHandler
private $clearBan = FALSE; private $clearBan = FALSE;
/**
* IP Address from ban list file which matched (may have wildcards)
*/
private $matchAddress = '';
/** /**
* Number of entries read from banlist/whitelist * Number of entries read from banlist/whitelist
*/ */
@@ -241,7 +247,7 @@ class eIPHandler
* *
* @return boolean TRUE if routable, FALSE if not * @return boolean TRUE if routable, FALSE if not
@todo handle IPV6 @todo handle IPV6 fully
*/ */
public function isAddressRoutable($ip) public function isAddressRoutable($ip)
{ {
@@ -270,6 +276,7 @@ class eIPHandler
// ff02::1:ff00:0/104 - Solicited-Node multicast addresses - add? // ff02::1:ff00:0/104 - Solicited-Node multicast addresses - add?
// 2001:0000::/29 through 2001:01f8::/29 - special purpose addresses // 2001:0000::/29 through 2001:01f8::/29 - special purpose addresses
// 2001:db8::/32 - used in documentation // 2001:db8::/32 - used in documentation
return TRUE;
} }
@@ -288,7 +295,7 @@ class eIPHandler
{ {
if (!$this->isAddressRoutable($ip)) if (!$this->isAddressRoutable($ip))
{ {
$ip3 = explode(',', $ip4); $ip3 = explode(',', $ip4); // May only be one address; could be several, comma separated, if multiple proxies used
$ip = trim($ip3[sizeof($ip3) - 1]); // If IP address is unroutable, replace with any forwarded_for address $ip = trim($ip3[sizeof($ip3) - 1]); // If IP address is unroutable, replace with any forwarded_for address
$this->logBanItem(0, 'X_Forward '.$ip4.' --> '.$ip); // Just log for interest ATM $this->logBanItem(0, 'X_Forward '.$ip4.' --> '.$ip); // Just log for interest ATM
} }
@@ -342,7 +349,7 @@ class eIPHandler
if ($vals === FALSE) return; if ($vals === FALSE) return;
if (substr($vals[0], 0, 5) != '<?php') if (substr($vals[0], 0, 5) != '<?php')
{ {
echo "Invalid message file"; echo 'Invalid message file';
die(); die();
} }
unset($vals[0]); unset($vals[0]);
@@ -351,6 +358,15 @@ class eIPHandler
if (substr($line, 0, 1) == ';') continue; if (substr($line, 0, 1) == ';') continue;
if (strpos($line, $search) === 0) if (strpos($line, $search) === 0)
{ // Found the action line { // Found the action line
if (e107::getPref('ban_retrigger'))
{
if ($tmp = fopen($this->ourConfigDir.eIPHandler::BAN_FILE_RETRIGGER_NAME.eIPHandler::BAN_FILE_EXTENSION, 'a'))
{
$logLine = time().' '.$this->matchAddress.' '.$code.' Retrigger: '.$this->ourIP."\n"; // Same format as log entries - can share routines
fwrite($tmp,$logLine);
fclose($tmp);
}
}
$line = trim(substr($line, strlen($search))); $line = trim(substr($line, strlen($search)));
if ((strpos($line, 'http://') === 0) || (strpos($line, 'https://') === 0)) if ((strpos($line, 'http://') === 0) || (strpos($line, 'https://') === 0))
{ // Display a specific web page { // Display a specific web page
@@ -383,7 +399,7 @@ class eIPHandler
* Format of each line is: * Format of each line is:
* IP_address action expiry_time additional_parameters * IP_address action expiry_time additional_parameters
* *
* where action is: +1 = whitelisted, <0 blacklisted, value is 'reason code' * where action is: >0 = whitelisted, <0 blacklisted, value is 'reason code'
* expiry_time is zero for an indefinite ban, time stamp for a limited ban * expiry_time is zero for an indefinite ban, time stamp for a limited ban
* additional_parameters may be required for certain actions in the future * additional_parameters may be required for certain actions in the future
*/ */
@@ -397,8 +413,8 @@ class eIPHandler
if ($vals === FALSE) return $ret; if ($vals === FALSE) return $ret;
if (substr($vals[0], 0, 5) != '<?php') if (substr($vals[0], 0, 5) != '<?php')
{ {
echo "Invalid message file"; echo 'Invalid message file';
die(); // Debateable, because admins can't get in if this fails. But can manually delete the file. die(); // Debatable, because admins can't get in if this fails. But can manually delete the file.
} }
unset($vals[0]); unset($vals[0]);
foreach ($vals as $line) foreach ($vals as $line)
@@ -424,7 +440,7 @@ class eIPHandler
* *
* @param string $addr - IP address in 'normal' form * @param string $addr - IP address in 'normal' form
* *
* @return int - 1 = whitelisted, 0 = not listed (= 'OK'), <0 is 'reason code' for ban * @return int - >0 = whitelisted, 0 = not listed (= 'OK'), <0 is 'reason code' for ban
* *
* note: Could maybe combine this with getWhiteBlackList() for efficiency, but makes it less general * note: Could maybe combine this with getWhiteBlackList() for efficiency, but makes it less general
*/ */
@@ -437,7 +453,9 @@ class eIPHandler
if (strpos($addr, $val['ip']) === 0) // See if our address begins with an entry - handles wildcards if (strpos($addr, $val['ip']) === 0) // See if our address begins with an entry - handles wildcards
{ // Match found { // Match found
if (($val['time_limit'] == 0) || ($val['time_limit'] > $now)) if (($val['time_limit'] == 0) || ($val['time_limit'] > $now))
{ // Indefinite ban, or timed ban, not expired { // Indefinite ban, or timed ban (not expired) or whitelist entry
if ($val['action']== BAN_TYPE_LEGACY) return BAN_TYPE_MANUAL; // Precautionary
$this->matchAddress = $val['ip'];
return $val['action']; // OK to just return - PHP should release the memory used by $checkLists return $val['action']; // OK to just return - PHP should release the memory used by $checkLists
} }
// Time limit expired // Time limit expired
@@ -535,6 +553,27 @@ class eIPHandler
/**
* Given a potentially truncated IPV6 address as used in the ban list files, adds 'x' characters etc to create
* a normalised IPV6 address as stored in the DB. Returned length is exactly 39 characters
*/
public function ip6AddWildcards($address)
{
while (($togo = (39 - strlen($address))) > 0)
{
if (($togo % 5) == 0)
{
$address .= ':';
}
else
{
$address .= 'x';
}
}
return $address;
}
/** /**
* Takes an encoded IP address - returns a displayable one * Takes an encoded IP address - returns a displayable one
* Set $IP4Legacy TRUE to display 'old' (IPv4) addresses in the familiar dotted format, * Set $IP4Legacy TRUE to display 'old' (IPv4) addresses in the familiar dotted format,
@@ -705,7 +744,7 @@ class eIPHandler
/** /**
* Routines beyone here are to handle banlist-related tasks which involve the DB * Routines beyond here are to handle banlist-related tasks which involve the DB
* note: Most of these routines already existed; moved in from e107_class.php * note: Most of these routines already existed; moved in from e107_class.php
*/ */
@@ -728,14 +767,14 @@ class eIPHandler
public function ban() public function ban()
{ {
$sql = e107::getDb(); $sql = e107::getDb();
$pref = e107::getPref();
if ($this->clearBan !== FALSE) if ($this->clearBan !== FALSE)
{ // Expired ban to clear - match exactly the address which triggered this action - could be a wildcard { // Expired ban to clear - match exactly the address which triggered this action - could be a wildcard
if ($sql->db_Delete('banlist',"`banlist_ip`='{$this->clearBan}'")) $clearAddress = $this->ip6AddWildcards($this->clearBan);
if ($sql->db_Delete('banlist',"`banlist_ip`='{$clearAddress}'"))
{ {
$this->actionCount--; // One less item on list $this->actionCount--; // One less item on list
$this->logBanItem(0,'Ban cleared: '.$this->clearBan); $this->logBanItem(0,'Ban cleared: '.$clearAddress);
// Now regenerate the text files - so no further triggers from this entry // Now regenerate the text files - so no further triggers from this entry
$this->regenerateFiles(); $this->regenerateFiles();
} }
@@ -747,7 +786,7 @@ class eIPHandler
if ($ip != eIPHandler::LOCALHOST_IP) if ($ip != eIPHandler::LOCALHOST_IP)
{ // Check host name, user email to see if banned { // Check host name, user email to see if banned
$vals = array(); $vals = array();
if(varsettrue($pref['enable_rdns'])) if (e107::getPref('enable_rdns'))
{ {
$vals = array_merge($vals, $this->makeDomainQuery($this->get_host_name($ip), '')); $vals = array_merge($vals, $this->makeDomainQuery($this->get_host_name($ip), ''));
} }
@@ -789,7 +828,7 @@ class eIPHandler
//$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Check for Ban",$query,FALSE,LOG_TO_ROLLING); //$admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Check for Ban",$query,FALSE,LOG_TO_ROLLING);
if ($sql->db_Select('banlist', '*', $query.' ORDER BY `banlist_bantype` DESC')) if ($sql->db_Select('banlist', '*', $query.' ORDER BY `banlist_bantype` DESC'))
{ {
// Any whitelist entries will be first, because they are large positive numbers - so we can answer based on the first DB record read // Any whitelist entries will be first, because they are positive numbers - so we can answer based on the first DB record read
$row = $sql->db_Fetch(); $row = $sql->db_Fetch();
if ($row['banlist_bantype'] >= eIPHandler::BAN_TYPE_WHITELIST) if ($row['banlist_bantype'] >= eIPHandler::BAN_TYPE_WHITELIST)
{ {
@@ -882,7 +921,16 @@ class eIPHandler
$ban_message .= 'Host: '.$this->get_host_name($ban_ip); $ban_message .= 'Host: '.$this->get_host_name($ban_ip);
} }
// Add using an array - handles DB changes better // Add using an array - handles DB changes better
$sql->db_Insert('banlist', array('banlist_ip' => $ban_ip , 'banlist_bantype' => $bantype , 'banlist_datestamp' => time() , 'banlist_banexpires' => (varsettrue($pref['ban_durations'][$bantype]) ? time()+($pref['ban_durations'][$bantype]*60*60) : 0) , 'banlist_admin' => $ban_user , 'banlist_reason' => $ban_message , 'banlist_notes' => $ban_notes)); $sql->db_Insert('banlist',
array(
'banlist_ip' => $ban_ip ,
'banlist_bantype' => $bantype ,
'banlist_datestamp' => time() ,
'banlist_banexpires' => (varsettrue($pref['ban_durations'][$bantype]) ? time()+($pref['ban_durations'][$bantype]*60*60) : 0) ,
'banlist_admin' => $ban_user ,
'banlist_reason' => $ban_message ,
'banlist_notes' => $ban_notes
));
$this->regenerateFiles(); $this->regenerateFiles();
return TRUE; return TRUE;
@@ -1110,7 +1158,7 @@ class banlistManager
$fileNameList = array('ip' => eIPHandler::BAN_FILE_IP_NAME, 'htaccess' => eIPHandler::BAN_FILE_HTACCESS, 'csv' => eIPHandler::BAN_FILE_CSV_NAME); $fileNameList = array('ip' => eIPHandler::BAN_FILE_IP_NAME, 'htaccess' => eIPHandler::BAN_FILE_HTACCESS, 'csv' => eIPHandler::BAN_FILE_CSV_NAME);
$qry = "SELECT * FROM `#banlist` "; $qry = 'SELECT * FROM `#banlist` ';
if ($typeList != '') $qry .= " WHERE`banlist_bantype` IN ({$typeList})"; if ($typeList != '') $qry .= " WHERE`banlist_bantype` IN ({$typeList})";
$qry .= ' ORDER BY `banlist_bantype` DESC'; // Order ensures whitelisted addresses appear first $qry .= ' ORDER BY `banlist_bantype` DESC'; // Order ensures whitelisted addresses appear first
@@ -1228,25 +1276,6 @@ class banlistManager
/**
* Converts a numeric ban type (as defined by a BAN_TYPE_xxxx constant) to the corresponding string
*/
// public function banTypeToText($banType)
// {
// if ($banType > 0) return '';
// return constant('BANLAN_10'.(-$banType));
// }
/**
* Converts a numeric ban type (as defined by a BAN_TYPE_xxxx constant) to the corresponding mouseover (title)string
*/
// public function banTypeToTitle($banType)
// {
// if ($banType > 0) return '';
// return constant('BANLAN_11'.(-$banType));
// }
/** /**
* Return string corresponding to a ban type * Return string corresponding to a ban type
* @param int $banType - constant representing the ban type * @param int $banType - constant representing the ban type
@@ -1285,12 +1314,13 @@ class banlistManager
} }
/** /**
* Write a text file containing the ban messages related to each ban reason * Write a text file containing the ban messages related to each ban reason
*/ */
public function writeBanMessageFile() public function writeBanMessageFile()
{ {
$pref = e107::getPref(); $pref['ban_messages'] = e107::getPref('ban_messages');
$oldName = $this->ourConfigDir.eIPHandler::BAN_FILE_ACTION_NAME.'_tmp'.eIPHandler::BAN_FILE_EXTENSION; $oldName = $this->ourConfigDir.eIPHandler::BAN_FILE_ACTION_NAME.'_tmp'.eIPHandler::BAN_FILE_EXTENSION;
if ($tmp = fopen($oldName, 'w')) if ($tmp = fopen($oldName, 'w'))
@@ -1308,6 +1338,12 @@ class banlistManager
} }
/**
* Check whether the message file (containing responses to ban types) exists
*
* @return boolean TRUE if exists, FALSE if doesn't exist
*/
public function doesMessageFileExist() public function doesMessageFileExist()
{ {
return is_readable($this->ourConfigDir.eIPHandler::BAN_FILE_ACTION_NAME.eIPHandler::BAN_FILE_EXTENSION); return is_readable($this->ourConfigDir.eIPHandler::BAN_FILE_ACTION_NAME.eIPHandler::BAN_FILE_EXTENSION);
@@ -1388,24 +1424,36 @@ class banlistManager
/** /**
* Update expiry time for IP addresses that have accessed the site while banned. * Update expiry time for IP addresses that have accessed the site while banned.
* Processes the entries in the 'ban retrigger' action file, and deletes the file
* *
* @param int $start - date/timestamp for earliest time to consider (usually time previous cron call to this routine was run). * Needs to be called from a cron job, at least once per hour, and ideally every few minutes. Otherwise banned users who access
* the site in the period since the last call to this routine may be able to get in because their ban has expired. (Unlikely to be
* an issue in practice)
* *
* @return int number of IP addresses updated * @return int number of IP addresses updated
* *
* @todo - finish this - DB access stuff to do * @todo - implement cron job and test
*/ */
public function banRetriggerAction($start = 0) public function banRetriggerAction()
{ {
//if (!e107::getPref('ban_retrigger')) return 0; // Should be checked earlier
$numEntry = 0; // Make sure this variable declared before passing it - total number of log entries. $numEntry = 0; // Make sure this variable declared before passing it - total number of log entries.
$ipAction = array(); // Array of IP addresses to action $ipAction = array(); // Array of IP addresses to action
$entries = $this->getLogEntries(0, 0, $numEntry); $fileName = $this->ourConfigDir.eIPHandler::BAN_FILE_RETRIGGER_NAME.eIPHandler::BAN_FILE_EXTENSION;
$entries = file($fileName);
if (!is_array($entries))
{
return 0; // Probably no retrigger actions
}
@unlink($fileName); // Delete the action file now we've read it in.
// Scan the list completely before doing any processing - this will ensure we only process the most recent entry for each IP address
while (count($entries) > 0) while (count($entries) > 0)
{ {
// @todo Could do a binary search to find the first entry to use - Potentially much faster
$line = array_shift($entries); $line = array_shift($entries);
$info = $this->splitLogEntry($line); $info = $this->splitLogEntry($line);
if (($info['banReason'] < 0) && ($info['banDate'] >= $start)) if ($info['banReason'] < 0)
{ {
$ipAction[$info['banIP']] = array('date' => $info['banDate'], 'reason' => $info['banReason']); // This will result in us gathering the most recent access from each IP address $ipAction[$info['banIP']] = array('date' => $info['banDate'], 'reason' => $info['banReason']); // This will result in us gathering the most recent access from each IP address
} }
@@ -1415,19 +1463,20 @@ class banlistManager
// Now run through the database updating times // Now run through the database updating times
$numRet = 0; $numRet = 0;
$ourDb = new db; // @todo change for 0.8 $pref['ban_durations'] = e107::getPref('ban_durations');
global $pref; $ourDb = e107::getDB(); // Should be able to use $sql, $sql2 at this point
$writeDb = new db; $writeDb = e107::getDB('sql2');
foreach ($ipAction as $ipKey => $ipInfo) foreach ($ipAction as $ipKey => $ipInfo)
{ {
// Have to search like this - may be a wildcard if ($ourDb->db_Select('banlist', '*', "`banlist_ip`='".$ipKey."'") === 1)
if ($ourDb->db_Select('banlist', '*', "`banlist_ip` LIKE '".$ipKey."'") === 1)
{ {
if ($row = $ourDb->db_Fetch()) if ($row = $ourDb->db_Fetch())
{ {
// @todo check next line // @todo check next line
$writeDb->db_Update('banlist', '`banlist_banexpires` = '.intval($row['banlist_banexpires'] + $pref['ban_durations'][$row['banlist_banreason']])); $writeDb->db_Update('banlist',
'`banlist_banexpires` = '.intval($row['banlist_banexpires'] + $pref['ban_durations'][$row['banlist_banreason']]));
$numRet++;
} }
} }
} }