From 91f78ecd0f3ff7a2ae225a835b3c87b8a7224fb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Tue, 5 May 2020 14:16:22 -0700 Subject: [PATCH 01/13] added "whitelist" under [traffic] --- cfg/conf.sample.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index d2d285de..e2d7fec8 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -127,6 +127,10 @@ markdown = "Markdown" ; Set this to 0 to disable rate limiting. limit = 10 +; (optional) if you only want some source IP addresses to create pastes +; enter their IPv4 address(es) here, separated by commas +; whitelist = "12.34.56.78,99.88.77.66" + ; (optional) if your website runs behind a reverse proxy or load balancer, ; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR ; header = "X_FORWARDED_FOR" From 5644001c5377b5a0791e136cb67436a77490db6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Tue, 5 May 2020 14:17:15 -0700 Subject: [PATCH 02/13] added "whitelist" under [traffic] --- lib/Configuration.php | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Configuration.php b/lib/Configuration.php index 06edf68b..aa6d15d0 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -78,6 +78,7 @@ class Configuration ), 'traffic' => array( 'limit' => 10, + 'whitelist' => null, 'header' => null, 'dir' => 'data', ), From 9327c9b58bc70709ce27ca30d29f63e4d801bd9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Tue, 5 May 2020 14:18:52 -0700 Subject: [PATCH 03/13] added whitelist check --- lib/Controller.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/Controller.php b/lib/Controller.php index 21a27b27..5db14c22 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -196,6 +196,19 @@ class Controller */ private function _create() { + // Check whitelist if allowed to create + $whitelist = explode(',', $this->_conf->getKey('whitelist', 'traffic')); + if (($option = $this->_conf->getKey('header', 'traffic')) !== null) { + $httpHeader = 'HTTP_' . $option; + if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) { + $remoteip = $_SERVER[$httpHeader]; + } + } + if( !in_array($remoteip, $whitelist) ) { + $this->_return_message(1, I18n::_('Your IP is not authorized')); + return; + } + // Ensure last paste from visitors IP address was more than configured amount of seconds ago. TrafficLimiter::setConfiguration($this->_conf); if (!TrafficLimiter::canPass()) { From 9ca041fa068e9ecb30a8924b91778ffc9f9c396a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 15:53:56 -0700 Subject: [PATCH 04/13] Update lib/Controller.php Co-authored-by: rugk --- lib/Controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Controller.php b/lib/Controller.php index 5db14c22..c202f391 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -205,7 +205,7 @@ class Controller } } if( !in_array($remoteip, $whitelist) ) { - $this->_return_message(1, I18n::_('Your IP is not authorized')); + $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); return; } From ef9780707a941780bf13caa29e9ef28858f4b56c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 15:54:13 -0700 Subject: [PATCH 05/13] Update lib/Controller.php Co-authored-by: rugk --- lib/Controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Controller.php b/lib/Controller.php index c202f391..4f3cbdf9 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -204,7 +204,7 @@ class Controller $remoteip = $_SERVER[$httpHeader]; } } - if( !in_array($remoteip, $whitelist) ) { + if(!in_array($remoteip, $whitelist)) { $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); return; } From cea96ee12a1e3e91c72f6efe6cac636cca6a80a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 15:55:09 -0700 Subject: [PATCH 06/13] Update cfg/conf.sample.php Co-authored-by: rugk --- cfg/conf.sample.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index e2d7fec8..52f152e5 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -129,7 +129,7 @@ limit = 10 ; (optional) if you only want some source IP addresses to create pastes ; enter their IPv4 address(es) here, separated by commas -; whitelist = "12.34.56.78,99.88.77.66" +; whitelist_paste_creation = "12.34.56.78,99.88.77.66" ; (optional) if your website runs behind a reverse proxy or load balancer, ; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR From 819d25a74cfdde26be18d592e827ab24e49e2b11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 16:13:25 -0700 Subject: [PATCH 07/13] change to whitelist_paste_creation --- lib/Controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Controller.php b/lib/Controller.php index 4f3cbdf9..45b6dacd 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -197,7 +197,7 @@ class Controller private function _create() { // Check whitelist if allowed to create - $whitelist = explode(',', $this->_conf->getKey('whitelist', 'traffic')); + $whitelist = explode(',', $this->_conf->getKey('whitelist_paste_creation', 'traffic')); if (($option = $this->_conf->getKey('header', 'traffic')) !== null) { $httpHeader = 'HTTP_' . $option; if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) { From c152f85b50cf38c83562bd9e7dfde543cce0d49e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 16:45:24 -0700 Subject: [PATCH 08/13] removed $remoteip that the audit didn't like --- lib/Controller.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/Controller.php b/lib/Controller.php index 45b6dacd..00bd981b 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -201,13 +201,13 @@ class Controller if (($option = $this->_conf->getKey('header', 'traffic')) !== null) { $httpHeader = 'HTTP_' . $option; if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) { - $remoteip = $_SERVER[$httpHeader]; + // compare source IP from web server with whitelist + if(!in_array($_SERVER[$httpHeader], $whitelist)) { + $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); + return; + } } } - if(!in_array($remoteip, $whitelist)) { - $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); - return; - } // Ensure last paste from visitors IP address was more than configured amount of seconds ago. TrafficLimiter::setConfiguration($this->_conf); From d847e2fcf22d72fe62b9e9c78972bf20c7b85f6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 16:46:31 -0700 Subject: [PATCH 09/13] alignment --- lib/Configuration.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Configuration.php b/lib/Configuration.php index aa6d15d0..95f54253 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -77,10 +77,10 @@ class Configuration 'markdown' => 'Markdown', ), 'traffic' => array( - 'limit' => 10, + 'limit' => 10, 'whitelist' => null, - 'header' => null, - 'dir' => 'data', + 'header' => null, + 'dir' => 'data', ), 'purge' => array( 'limit' => 300, From b8594c174a1027bb6cd449e4cb50f99617055ff5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Thu, 7 May 2020 16:48:17 -0700 Subject: [PATCH 10/13] whitelist_paste_creation description --- cfg/conf.sample.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index 52f152e5..6b266a7c 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -128,7 +128,8 @@ markdown = "Markdown" limit = 10 ; (optional) if you only want some source IP addresses to create pastes -; enter their IPv4 address(es) here, separated by commas +; enter their IPv4 address(es) here, separated by commas. This does not +; currently support CIDR notation, only individual IPv4 addresses. ; whitelist_paste_creation = "12.34.56.78,99.88.77.66" ; (optional) if your website runs behind a reverse proxy or load balancer, From 8fbdb69d8a2daf48c96ce39bc91bafbc2febb451 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Fri, 8 May 2020 11:36:19 -0700 Subject: [PATCH 11/13] added check for null whitelist --- lib/Controller.php | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/lib/Controller.php b/lib/Controller.php index 00bd981b..6b1dbcb5 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -196,16 +196,21 @@ class Controller */ private function _create() { - // Check whitelist if allowed to create - $whitelist = explode(',', $this->_conf->getKey('whitelist_paste_creation', 'traffic')); - if (($option = $this->_conf->getKey('header', 'traffic')) !== null) { - $httpHeader = 'HTTP_' . $option; - if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) { - // compare source IP from web server with whitelist - if(!in_array($_SERVER[$httpHeader], $whitelist)) { - $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); - return; - } + // Check if whitelist feature is enabled + if (($option = $this->_conf->getKey('whitelist', 'traffic')) !== null) { + // Parse whitelist into array + $whitelist = explode(',', $this->_conf->getKey('whitelist_paste_creation', 'traffic')); + // Check for source IP in HTTP header + if (($option = $this->_conf->getKey('header', 'traffic')) !== null) { + $httpHeader = 'HTTP_' . $option; + // Grab source IP from HTTP header (if it exists) + if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) { + // Check if source IP reported from HTTP header is in whitelist array + if (!in_array($_SERVER[$httpHeader], $whitelist)) { + $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); + return; + } + } } } From effe6ad3e55201d7999c20873a28ab1bba8bc3b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Fri, 8 May 2020 11:37:21 -0700 Subject: [PATCH 12/13] fixed spacing to please StyleCI --- lib/Controller.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Controller.php b/lib/Controller.php index 6b1dbcb5..2c08b308 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -209,11 +209,11 @@ class Controller if (!in_array($_SERVER[$httpHeader], $whitelist)) { $this->_return_message(1, I18n::_('Your IP is not authorized to create pastes.')); return; - } + } } } } - + // Ensure last paste from visitors IP address was more than configured amount of seconds ago. TrafficLimiter::setConfiguration($this->_conf); if (!TrafficLimiter::canPass()) { From 3f75c81a2feaa1c2350f2d674c86e5a0dc936471 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steven=20Andr=C3=A9s?= Date: Fri, 8 May 2020 12:18:20 -0700 Subject: [PATCH 13/13] fixed duplicated getKey() --- lib/Controller.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Controller.php b/lib/Controller.php index 2c08b308..0aa3fe1a 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -197,9 +197,9 @@ class Controller private function _create() { // Check if whitelist feature is enabled - if (($option = $this->_conf->getKey('whitelist', 'traffic')) !== null) { + if (($option = $this->_conf->getKey('whitelist_paste_creation', 'traffic')) !== null) { // Parse whitelist into array - $whitelist = explode(',', $this->_conf->getKey('whitelist_paste_creation', 'traffic')); + $whitelist = explode(',', $option); // Check for source IP in HTTP header if (($option = $this->_conf->getKey('header', 'traffic')) !== null) { $httpHeader = 'HTTP_' . $option;