This is an automated email from the git hooks/post-receive script. s k u n n y k p u s h e d a c o m m i t t o b r a n c h o l d f o r u m in repository www/forum.xfce.org.
commit a47fa75336802e076e6b74af60fdff016693d9de Author: Nick Schermer <n...@xfce.org> Date: Sat Nov 13 11:30:17 2010 +0100 Update bad behaviour plugin to 2.1.7. --- include/bad-behavior/banned.inc.php | 8 +++++--- include/bad-behavior/blackhole.inc.php | 5 ----- include/bad-behavior/cloudflare.inc.php | 15 +++++++++++++++ include/bad-behavior/common_tests.inc.php | 13 +++++++++---- include/bad-behavior/core.inc.php | 19 +++++++++++++++++-- include/bad-behavior/functions.inc.php | 5 +++++ include/bad-behavior/google.inc.php | 7 ++++++- include/bad-behavior/msnbot.inc.php | 7 ++++++- include/bad-behavior/responses.inc.php | 2 ++ include/bad-behavior/roundtripdns.inc.php | 20 ++++++++++++++++++++ include/bad-behavior/version.inc.php | 2 +- include/whitelist.ini | 26 ++++++++++++++++++++++++++ plugins/AP_Bad_Behavior.php | 1 + 13 files changed, 113 insertions(+), 17 deletions(-) diff --git a/include/bad-behavior/banned.inc.php b/include/bad-behavior/banned.inc.php index 85a58f2..2b26cb1 100644 --- a/include/bad-behavior/banned.inc.php +++ b/include/bad-behavior/banned.inc.php @@ -5,7 +5,7 @@ require_once(BB2_CORE . "/responses.inc.php"); -function bb2_display_denial($settings, $key, $previous_key = false) +function bb2_display_denial($settings, $package, $key, $previous_key = false) { define('DONOTCACHEPAGE', true); // WP Super Cache if (!$previous_key) $previous_key = $key; @@ -13,7 +13,7 @@ function bb2_display_denial($settings, $key, $previous_key = false) // FIXME: lookup the real key } // Create support key - $ip = explode(".", $_SERVER['REMOTE_ADDR']); + $ip = explode(".", $package['ip']); $ip_hex = ""; foreach ($ip as $octet) { $ip_hex .= str_pad(dechex($octet), 2, 0, STR_PAD_LEFT); @@ -24,6 +24,8 @@ function bb2_display_denial($settings, $key, $previous_key = false) $response = bb2_get_response($previous_key); header("HTTP/1.1 " . $response['response'] . " Bad Behavior"); header("Status: " . $response['response'] . " Bad Behavior"); + $request_uri = $_SERVER["REQUEST_URI"]; + if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--< html xmlns="http://www.w3.org/1999/xhtml">--> @@ -33,7 +35,7 @@ function bb2_display_denial($settings, $key, $previous_key = false) <body> <h1>Error <?php echo $response['response']; ?></h1> <p>We're sorry, but we could not fulfill your request for -<?php echo htmlspecialchars($_SERVER['REQUEST_URI']) ?> on this server.</p> +<?php echo htmlspecialchars($request_uri) ?> on this server.</p> <p><?php echo $response['explanation']; ?></p> <p>Your technical support key is: <strong><?php echo $support_key; ?></strong></p> <p>You can use this key to <a href="http://www.ioerror.us/bb2-support-key?key=<?php echo $support_key; ?>">fix this problem yourself</a>.</p> diff --git a/include/bad-behavior/blackhole.inc.php b/include/bad-behavior/blackhole.inc.php index 63829a6..f3bdff9 100644 --- a/include/bad-behavior/blackhole.inc.php +++ b/include/bad-behavior/blackhole.inc.php @@ -1,10 +1,5 @@ <?php if (!defined('BB2_CORE')) die('I said no cheating!'); -// Quick and dirty check for an IPv6 address -function is_ipv6($address) { - return (strpos($address, ":")) ? TRUE : FALSE; -} - // Look up address on various blackhole lists. // These should not be used for GET requests under any circumstances! // FIXME: Note that this code is no longer in use diff --git a/include/bad-behavior/cloudflare.inc.php b/include/bad-behavior/cloudflare.inc.php new file mode 100644 index 0000000..4f77f48 --- /dev/null +++ b/include/bad-behavior/cloudflare.inc.php @@ -0,0 +1,15 @@ +<?php if (!defined('BB2_CORE')) die('I said no cheating!'); + +// Analyze requests claiming to be from CloudFlare + +require_once(BB2_CORE . "/roundtripdns.inc.php"); + +function bb2_cloudflare($package) +{ + if (!bb2_roundtripdns($package['cloudflare'], "cloudflare.com")) { + return '70e45496'; + } + return false; +} + +?> diff --git a/include/bad-behavior/common_tests.inc.php b/include/bad-behavior/common_tests.inc.php index e4d88f0..fea693f 100644 --- a/include/bad-behavior/common_tests.inc.php +++ b/include/bad-behavior/common_tests.inc.php @@ -4,7 +4,6 @@ function bb2_protocol($settings, $package) { - // Is it claiming to be HTTP/1.0? Then it shouldn't do HTTP/1.1 things // Always run this test; we should never see Expect: if (array_key_exists('Expect', $package['headers_mixed']) && stripos($package['headers_mixed']['Expect'], "100-continue") !== FALSE) { return "a0105122"; @@ -54,9 +53,9 @@ function bb2_misc_headers($settings, $package) // Real user-agents do not start ranges at 0 // NOTE: this blocks the whois.sc bot. No big loss. // Exceptions: MT (not fixable); LJ (refuses to fix; may be - // blocked again in the future) + // blocked again in the future); Facebook if ($settings['strict'] && array_key_exists('Range', $package['headers_mixed']) && strpos($package['headers_mixed']['Range'], "=0-") !== FALSE) { - if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11)) { + if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11) && strncmp($ua, "facebookexternalhit", 19)) { return "7ad04a8a"; } } @@ -105,6 +104,12 @@ function bb2_misc_headers($settings, $package) if (preg_match('/\bkeep-alive,\s?keep-alive\b/i', $package['headers_mixed']['Connection'])) { return "a52f0448"; } + // Keep-Alive format in RFC 2068; some bots mangle these headers + if (stripos($package['headers_mixed']['Connection'], "Keep-Alive: ") !== FALSE) { + return "b0924802"; + } + // Close should not be oddly capitalized + } @@ -113,7 +118,7 @@ function bb2_misc_headers($settings, $package) return "b9cc1d86"; } // Proxy-Connection does not exist and should never be seen in the wild - if (array_key_exists('Proxy-Connection', $package['headers_mixed'])) { + if ($settings['strict'] && array_key_exists('Proxy-Connection', $package['headers_mixed'])) { return "b7830251"; } diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php index 0b09fb5..a9d2bbf 100644 --- a/include/bad-behavior/core.inc.php +++ b/include/bad-behavior/core.inc.php @@ -16,7 +16,7 @@ function bb2_banned($settings, $package, $key, $previous_key=false) sleep(2); require_once(BB2_CORE . "/banned.inc.php"); - bb2_display_denial($settings, $key, $previous_key); + bb2_display_denial($settings, $package, $key, $previous_key); bb2_log_denial($settings, $package, $key, $previous_key); if (is_callable('bb2_banned_callback')) { bb2_banned_callback($settings, $package, $key); @@ -64,7 +64,14 @@ function bb2_start($settings) } } - @$package = array('ip' => $_SERVER['REMOTE_ADDR'], 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $_SERVER['REQUEST_URI'], 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false); + $request_uri = $_SERVER["REQUEST_URI"]; + if (!$request_uri) $request_uri = $_SERVER['SCRIPT_NAME']; # IIS + + # Nasty CloudFlare hack provided by butchs at simplemachines + $ip_temp = preg_replace("/^::ffff:/", "", (array_key_exists('Cf-Connecting-Ip', $headers_mixed)) ? $_SERVER['HTTP_CF_CONNECTING_IP'] : $_SERVER['REMOTE_ADDR']); + $cloudflare_ip = preg_replace("/^::ffff:/", "", $_SERVER['REMOTE_ADDR']); + + @$package = array('ip' => $ip_temp, 'headers' => $headers, 'headers_mixed' => $headers_mixed, 'request_method' => $_SERVER['REQUEST_METHOD'], 'request_uri' => $request_uri, 'server_protocol' => $_SERVER['SERVER_PROTOCOL'], 'request_entity' => $request_entity, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'is_browser' => false, 'cloudflare' => $cloudflare_ip); $result = bb2_screen($settings, $package); if ($result && !defined('BB2_TEST')) bb2_banned($settings, $package, $result); @@ -76,6 +83,14 @@ function bb2_screen($settings, $package) // Please proceed to the security checkpoint and have your // identification and boarding pass ready. + // Check for CloudFlare CDN since IP to be screened may be different + // Thanks to butchs at Simple Machines + if (array_key_exists('Cf-Connecting-Ip', $package['headers_mixed'])) { + require_once(BB2_CORE . "/cloudflare.inc.php"); + $r = bb2_cloudflare($package); + if ($r !== false && $r != $package['ip']) return $r; + } + // First check the whitelist require_once(BB2_CORE . "/whitelist.inc.php"); if (!bb2_whitelist($package)) { diff --git a/include/bad-behavior/functions.inc.php b/include/bad-behavior/functions.inc.php index 22e8882..1c27cb1 100644 --- a/include/bad-behavior/functions.inc.php +++ b/include/bad-behavior/functions.inc.php @@ -2,6 +2,11 @@ // Miscellaneous helper functions. +// Quick and dirty check for an IPv6 address +function is_ipv6($address) { + return (strpos($address, ":")) ? TRUE : FALSE; +} + // stripos() needed because stripos is only present on PHP 5 if (!function_exists('stripos')) { function stripos($haystack,$needle,$offset = 0) { diff --git a/include/bad-behavior/google.inc.php b/include/bad-behavior/google.inc.php index 956bdb4..61d424d 100644 --- a/include/bad-behavior/google.inc.php +++ b/include/bad-behavior/google.inc.php @@ -2,9 +2,14 @@ // Analyze user agents claiming to be Googlebot +require_once(BB2_CORE . "/roundtripdns.inc.php"); + function bb2_google($package) { - if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) { +# if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) { +# return "f1182195"; +# } + if (!bb2_roundtripdns($package['ip'], "googlebot.com")) { return "f1182195"; } return false; diff --git a/include/bad-behavior/msnbot.inc.php b/include/bad-behavior/msnbot.inc.php index 0341da1..f647082 100644 --- a/include/bad-behavior/msnbot.inc.php +++ b/include/bad-behavior/msnbot.inc.php @@ -2,9 +2,14 @@ // Analyze user agents claiming to be msnbot +require_once(BB2_CORE . "/roundtripdns.inc.php"); + function bb2_msnbot($package) { - if (match_cidr($package['ip'], "207.46.0.0/16") === FALSE && match_cidr($package['ip'], "65.52.0.0/14") === FALSE && match_cidr($package['ip'], "207.68.128.0/18") === FALSE && match_cidr($package['ip'], "207.68.192.0/20") === FALSE && match_cidr($package['ip'], "64.4.0.0/18") === FALSE) { +# if (match_cidr($package['ip'], "207.46.0.0/16") === FALSE && match_cidr($package['ip'], "65.52.0.0/14") === FALSE && match_cidr($package['ip'], "207.68.128.0/18") === FALSE && match_cidr($package['ip'], "207.68.192.0/20") === FALSE && match_cidr($package['ip'], "64.4.0.0/18") === FALSE) { +# return "e4de0453"; +# } + if (!bb2_roundtripdns($package['ip'], "msn.com")) { return "e4de0453"; } return false; diff --git a/include/bad-behavior/responses.inc.php b/include/bad-behavior/responses.inc.php index 89c995c..bc1ff9c 100644 --- a/include/bad-behavior/responses.inc.php +++ b/include/bad-behavior/responses.inc.php @@ -19,6 +19,7 @@ function bb2_get_response($key) { '582ec5e4' => array('response' => 400, 'explanation' => 'An invalid request was received. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. This may also be caused by a bug in the Opera web browser.', 'log' => '"Header \'TE\' present but TE not specified in \'Connection\' header'), '69920ee5' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' present but blank'), '6c502ff1' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Bot not fully compliant with RFC 2965'), + '70e45496' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User agent claimed to be CloudFlare, claim appears false'), '799165c2' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Rotating user-agents detected'), '7a06532b' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept-Encoding\' missing'), '7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'), @@ -28,6 +29,7 @@ function bb2_get_response($key) { 'a0105122' => array('response' => 417, 'explanation' => 'Expectation failed. Please retry your request.', 'log' => 'Header \'Expect\' prohibited; resend without Expect'), 'a1084bad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent claimed to be MSIE, with invalid Windows version'), 'a52f0448' => array('response' => 400, 'explanation' => 'An invalid request was received. This may be caused by a malfunctioning proxy server or browser privacy software. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator.', 'log' => 'Header \'Connection\' contains invalid values'), + 'b0924802' => array('response' => 400, 'explanation' => 'An invalid request was received. This may be caused by malicious software on your computer.', 'log' => 'Incorrect form of HTTP/1.0 Keep-Alive'), 'b40c8ddc' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, close your browser, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'POST more than two days after GET'), 'b7830251' => array('response' => 400, 'explanation' => 'Your proxy server sent an invalid request. Please contact the proxy server administrator to have this problem fixed.', 'log' => 'Prohibited header \'Proxy-Connection\' present'), 'b9cc1d86' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'), diff --git a/include/bad-behavior/roundtripdns.inc.php b/include/bad-behavior/roundtripdns.inc.php new file mode 100644 index 0000000..0c993ec --- /dev/null +++ b/include/bad-behavior/roundtripdns.inc.php @@ -0,0 +1,20 @@ +<?php if (!defined('BB2_CORE')) die("I said no cheating!"); + +# Round trip DNS verification + +# Returns TRUE if DNS matches; FALSE on mismatch +# Returns $ip if an error occurs +# TODO: Not IPv6 safe +# FIXME: Returns false on DNS server failure; PHP provides no distinction +# between no records and error condition +function bb2_roundtripdns($ip,$domain) +{ + if (@is_ipv6($ip)) return $ip; + + $host = gethostbyaddr($ip); + $host_result = strpos(strrev($host), strrev($domain)); + if ($host_result === false || $host_result > 0) return false; + $addrs = gethostbynamel($host); + if (in_array($ip, $addrs)) return true; + return false; +} diff --git a/include/bad-behavior/version.inc.php b/include/bad-behavior/version.inc.php index f615eae..9b7cde8 100644 --- a/include/bad-behavior/version.inc.php +++ b/include/bad-behavior/version.inc.php @@ -1,3 +1,3 @@ <?php if (!defined('BB2_CWD')) die("I said no cheating!"); -define('BB2_VERSION', "2.1.2"); +define('BB2_VERSION', "2.1.7"); ?> diff --git a/include/whitelist.ini b/include/whitelist.ini new file mode 100644 index 0000000..83d248c --- /dev/null +++ b/include/whitelist.ini @@ -0,0 +1,26 @@ +; Inappropriate whitelisting WILL expose you to spam, or cause Bad Behavior +; to stop functioning entirely! DO NOT WHITELIST unless you are 100% CERTAIN +; that you should. + +; IP address ranges use the CIDR format. + +[ip] +; Digg whitelisted as of 2.0.12 +ip[] = "64.191.203.34" +ip[] = "208.67.217.130" +; RFC 1918 addresses +ip[] = "10.0.0.0/8" +ip[] = "172.16.0.0/12" +ip[] = "192.168.0.0/16" + +; User agents are matched by exact match only. + +[useragent] +useragent[] = "Mozilla/4.0 (It's me, let me in)" + +; URLs are matched from the first / after the server name up to, but not +; including, the ? (if any). The URL to be whitelisted is a URL on YOUR site. + +[url] +url[] = "/example.php" +url[] = "/openid/server" diff --git a/plugins/AP_Bad_Behavior.php b/plugins/AP_Bad_Behavior.php index 188807c..3c0b41d 100644 --- a/plugins/AP_Bad_Behavior.php +++ b/plugins/AP_Bad_Behavior.php @@ -63,6 +63,7 @@ else <div class="box"> <div class="inbox"> <p><?php echo bb2_insert_stats(true) ?></p> + <p>Powered by <a href="http://www.bad-behavior.ioerror.us/">Bad Behavior</a> version <?php echo BB2_VERSION ?></p> </div> </div> <h2 class="block2"><span>Settings</span></h2> -- To stop receiving notification emails like this one, please contact the administrator of this repository. _______________________________________________ Xfce4-commits mailing list Xfce4-commits@xfce.org https://mail.xfce.org/mailman/listinfo/xfce4-commits