From 91041d8c59d81e5c2675d8c3c5021e471da0cfcb Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 20 Feb 2022 09:09:20 +0100 Subject: [PATCH] simplify/unify naming & wording of the two types of IP lists for the traffic limiter --- cfg/conf.sample.php | 17 ++++++++++------- lib/Configuration.php | 8 ++++---- lib/Controller.php | 2 +- lib/Persistence/TrafficLimiter.php | 20 ++++++++++---------- tst/Persistence/TrafficLimiterTest.php | 4 ++-- 5 files changed, 27 insertions(+), 24 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index d7e21f86..3bc4ec66 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -135,14 +135,17 @@ markdown = "Markdown" ; Set this to 0 to disable rate limiting. limit = 10 -; Set ips (v4|v6) which should be exempted for the rate-limit. CIDR also supported. Needed to be comma separated. -; Unset for enabling and invalid values will be ignored -; eg: exemptedIp = '1.2.3.4,10.10.10/24' +; (optional) Set IPs adresses (v4 or v6) or subnets (CIDR) which are exempted +; from the rate-limit. Invalid IPs will be ignored. If multiple values are to +; be exempted, the list needs to be comma separated. Leave unset to disable +; exemptions. +; exempted = "1.2.3.4,10.10.10/24" -; (optional) if you only want some source IP addresses to create pastes -; enter their IPv4 address(es) here, separated by commas. This does not -; currently support CIDR notation, only individual IPv4 addresses. -; whitelist_paste_creation = "12.34.56.78,99.88.77.66" +; (optional) If you want only some source IP addresses (v4 or v6) or subnets +; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be +; ignored. If multiple values are to be exempted, the list needs to be comma +; separated. Leave unset to allow anyone to create pastes. +; creators = "1.2.3.4,10.10.10/24" ; (optional) if your website runs behind a reverse proxy or load balancer, ; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR diff --git a/lib/Configuration.php b/lib/Configuration.php index c3a6fa25..130eecf6 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -78,10 +78,10 @@ class Configuration 'markdown' => 'Markdown', ), 'traffic' => array( - 'limit' => 10, - 'header' => null, - 'exemptedIp' => null, - 'whitelist' => null, + 'limit' => 10, + 'header' => '', + 'exempted' => '', + 'creators' => '', ), 'purge' => array( 'limit' => 300, diff --git a/lib/Controller.php b/lib/Controller.php index b150691a..8ead8848 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -196,7 +196,7 @@ class Controller private function _create() { // Check if whitelist feature is enabled - if (($option = $this->_conf->getKey('whitelist_paste_creation', 'traffic')) !== null) { + if (($option = $this->_conf->getKey('creators', 'traffic')) !== '') { // Parse whitelist into array $whitelist = explode(',', $option); // Check for source IP in HTTP header diff --git a/lib/Persistence/TrafficLimiter.php b/lib/Persistence/TrafficLimiter.php index 9e896c1d..168b46c0 100644 --- a/lib/Persistence/TrafficLimiter.php +++ b/lib/Persistence/TrafficLimiter.php @@ -33,13 +33,13 @@ class TrafficLimiter extends AbstractPersistence private static $_limit = 10; /** - * listed ips are exempted from limits, defaults to null + * listed IPs are exempted from limits, defaults to null * * @access private * @static * @var string|null */ - private static $_exemptedIp = null; + private static $_exempted = null; /** * key to fetch IP address @@ -63,15 +63,15 @@ class TrafficLimiter extends AbstractPersistence } /** - * set a list of ip(ranges) as string + * set a list of IP(-ranges) as string * * @access public * @static - * @param string $exemptedIps + * @param string $exempted */ - public static function setExemptedIp($exemptedIp) + public static function setExempted($exempted) { - self::$_exemptedIp = $exemptedIp; + self::$_exempted = $exempted; } /** @@ -84,9 +84,9 @@ class TrafficLimiter extends AbstractPersistence public static function setConfiguration(Configuration $conf) { self::setLimit($conf->getKey('limit', 'traffic')); - self::setExemptedIp($conf->getKey('exemptedIp', 'traffic')); + self::setExempted($conf->getKey('exempted', 'traffic')); - if (($option = $conf->getKey('header', 'traffic')) !== null) { + if (($option = $conf->getKey('header', 'traffic')) !== '') { $httpHeader = 'HTTP_' . $option; if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) { self::$_ipKey = $httpHeader; @@ -152,8 +152,8 @@ class TrafficLimiter extends AbstractPersistence } // Check if $_ipKey is exempted from ratelimiting - if (!is_null(self::$_exemptedIp)) { - $exIp_array = explode(',', self::$_exemptedIp); + if (!empty(self::$_exempted)) { + $exIp_array = explode(',', self::$_exempted); foreach ($exIp_array as $ipRange) { if (self::matchIp($ipRange) === true) { return true; diff --git a/tst/Persistence/TrafficLimiterTest.php b/tst/Persistence/TrafficLimiterTest.php index aedbf889..8c83f0b5 100644 --- a/tst/Persistence/TrafficLimiterTest.php +++ b/tst/Persistence/TrafficLimiterTest.php @@ -47,7 +47,7 @@ class TrafficLimiterTest extends PHPUnit_Framework_TestCase $this->assertFalse(TrafficLimiter::canPass(), 'fifth request is to fast, may not pass'); // exempted IPs configuration - TrafficLimiter::setExemptedIp('1.2.3.4,10.10.10.0/24,2001:1620:2057::/48'); + TrafficLimiter::setExempted('1.2.3.4,10.10.10.0/24,2001:1620:2057::/48'); $this->assertFalse(TrafficLimiter::canPass(), 'still too fast and not exempted'); $_SERVER['REMOTE_ADDR'] = '10.10.10.10'; $this->assertTrue(TrafficLimiter::canPass(), 'IPv4 in exempted range'); @@ -55,7 +55,7 @@ class TrafficLimiterTest extends PHPUnit_Framework_TestCase $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe'; $this->assertTrue(TrafficLimiter::canPass(), 'IPv6 in exempted range'); $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but IPv6 in exempted range'); - TrafficLimiter::setExemptedIp('127.*,foobar'); + TrafficLimiter::setExempted('127.*,foobar'); $this->assertFalse(TrafficLimiter::canPass(), 'request is to fast, invalid range'); $_SERVER['REMOTE_ADDR'] = 'foobar'; $this->assertTrue(TrafficLimiter::canPass(), 'non-IP address');