| Index: trunk/extensions/CheckUser/CheckUser_body.php |
| — | — | @@ -223,7 +223,8 @@ |
| 224 | 224 | # XFF |
| 225 | 225 | if ( $row->cuc_xff !=null ) { |
| 226 | 226 | # Flag our trusted proxies |
| 227 | | - $c = wfIsTrustedProxy($row->cuc_ip) ? '#F0FFF0' : '#FFFFCC'; |
| | 227 | + list($client,$trusted) = wfGetClientIPfromXFF($row->cuc_xff,$row->cuc_ip); |
| | 228 | + $c = $trusted ? '#F0FFF0' : '#FFFFCC'; |
| 228 | 229 | $line .= '</span> <span style="background-color: '.$c.'"> <strong>XFF</strong>: '; |
| 229 | 230 | $line .= $this->skin->makeKnownLinkObj( $cuTitle, |
| 230 | 231 | htmlspecialchars( $row->cuc_xff ), |
| Index: trunk/extensions/CheckUser/CheckUser.php |
| — | — | @@ -41,7 +41,7 @@ |
| 42 | 42 | $ip = wfGetIP(); |
| 43 | 43 | |
| 44 | 44 | $xff = wfGetForwardedFor(); |
| 45 | | - $xff_ip = wfGetLastIPfromXFF( $xff ); |
| | 45 | + list($xff_ip,$trusted) = wfGetClientIPfromXFF( $xff ); |
| 46 | 46 | |
| 47 | 47 | $agent = wfGetAgent(); |
| 48 | 48 | |
| — | — | @@ -82,6 +82,42 @@ |
| 83 | 83 | } |
| 84 | 84 | |
| 85 | 85 | /** |
| | 86 | + * Locates the client IP within a given XFF string |
| | 87 | + * @param string $xff |
| | 88 | + * @param string $address, the ip that sent this header (optional) |
| | 89 | + * @return array( string, bool ) |
| | 90 | + */ |
| | 91 | +function wfGetClientIPfromXFF( $xff, $address=NULL ) { |
| | 92 | + if ( !$xff ) return array(null, false); |
| | 93 | + // Avoid annoyingly long xff hacks |
| | 94 | + $xff = trim( substr( $xff, 0, 255 ) ); |
| | 95 | + $client = null; |
| | 96 | + $trusted = true; |
| | 97 | + // Check each IP, assuming they are separated by commas |
| | 98 | + $ips = explode(',',$xff); |
| | 99 | + foreach( $ips as $n => $ip ) { |
| | 100 | + $ip = trim($ip); |
| | 101 | + // If it is a valid IP, not a hash or such |
| | 102 | + if ( IP::isIPAddress($ip) ) { |
| | 103 | + # The first IP should be the client |
| | 104 | + if ( $n==0 ) { |
| | 105 | + $client = $ip; |
| | 106 | + # Check that all servers are trusted |
| | 107 | + } else if ( !wfIsTrustedProxy($ip) ) { |
| | 108 | + $trusted = false; |
| | 109 | + break; |
| | 110 | + } |
| | 111 | + } |
| | 112 | + } |
| | 113 | + // We still have to test if the IP that sent |
| | 114 | + // this header is trusted to confirm results |
| | 115 | + if ( !$address || !wfIsTrustedProxy($address) ) |
| | 116 | + $trusted = false; |
| | 117 | + |
| | 118 | + return array( $client, $trusted ); |
| | 119 | +} |
| | 120 | + |
| | 121 | +/** |
| 86 | 122 | * Tell the parser test engine to create a stub cu_changes table, |
| 87 | 123 | * or temporary pages won't save correctly during the test run. |
| 88 | 124 | */ |