On Tue, Mar 19, 2013 at 05:12:23PM -0400, canyonknight wrote:
On Tue, Mar 19, 2013 at 9:23 AM, Lukas Fleischer <archlinux@cryptocrack.de> wrote:
This allows for specifying a list of IP addresses that will no longer be able to register new accounts and login. The list of banned IP addresses can be configured in "web/lib/config.inc.php".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> ---
What are your thoughts on taking this a step further and adding a "bans" table to the DB schema? It could eventually be extended to allow for TUs and Developers to ban IP addresses directly from the web interface without ever having to muck around with the config file.
Exactly what I was planning to do. We should also display each user's last login IP address in his profile (only visible to developers and TUs) and add a "Ban this IP address" button next to it. The "Save last login IP address" patch I submitted already adds the IP address to the Users table. Oh, and we might want to exclude TUs and developers from IP bans.
web/lib/acctfuncs.inc.php | 24 +++++++++++++++++++++--- web/lib/config.inc.php.proto | 3 +++ 2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index aabb096..c202f47 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -91,7 +91,17 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $P="",$C="",$R="",$L="",$I="",$K="",$UID=0) {
# error check and process request for a new/modified account - global $SUPPORTED_LANGS, $AUR_LOCATION; + global $SUPPORTED_LANGS, $AUR_LOCATION, $BANNED_IPS; + + $error = ""; + + if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) { + $error = __('The login form is currently ' . + 'disabled for your IP address, probably due ' . + 'to sustained spam attacks. Sorry for the ' . + 'inconvenience -- we hope to be back up ' . + 'soon.'); + }
$dbh = DB::connect();
@@ -102,7 +112,6 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $editor_user = null; }
- $error = ""; if (empty($E) || empty($U)) { $error = __("Missing a required field."); } @@ -393,13 +402,22 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", * @return array Session ID for user, error message if applicable */ function try_login() { - global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT; + global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT, $BANNED_IPS;
$login_error = ""; $new_sid = ""; $userID = null;
if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) { + if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) { + $login_error = __('The login form is currently ' . + 'disabled for your IP address, probably due ' . + 'to sustained spam attacks. Sorry for the ' . + 'inconvenience -- we hope to be back up ' . + 'soon.'); + return array('SID' => '', 'error' => $login_error); + } + $dbh = DB::connect(); $userID = valid_user($_REQUEST['user']);
diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index 1fe7dbc..0422ac5 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -59,3 +59,6 @@ $USE_VIRTUAL_URLS = true; # Maximum number of package results to return through an RPC connection. # Avoid setting this too high and having a PHP too much memory error. $MAX_RPC_RESULTS = 5000; + +# Prevent a list of remote addresses from logging in and creating new accounts. +$BANNED_IPS = array(); -- 1.8.2.480.g556678c