[aur-dev] [PATCH] Add an IP ban list

canyonknight canyonknight at gmail.com
Tue Mar 19 17:12:23 EDT 2013 

On Tue, Mar 19, 2013 at 9:23 AM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> This allows for specifying a list of IP addresses that will no longer be
> able to register new accounts and login. The list of banned IP addresses
> can be configured in "web/lib/config.inc.php".
>
> Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
> ---

What are your thoughts on taking this a step further and adding a
"bans" table to the DB schema? It could eventually be extended to
allow for TUs and Developers to ban IP addresses directly from the web
interface without ever having to muck around with the config file.

>  web/lib/acctfuncs.inc.php    | 24 +++++++++++++++++++++---
>  web/lib/config.inc.php.proto |  3 +++
>  2 files changed, 24 insertions(+), 3 deletions(-)
>
> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> index aabb096..c202f47 100644
> --- a/web/lib/acctfuncs.inc.php
> +++ b/web/lib/acctfuncs.inc.php
> @@ -91,7 +91,17 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
>                         $P="",$C="",$R="",$L="",$I="",$K="",$UID=0) {
>
>         # error check and process request for a new/modified account
> -       global $SUPPORTED_LANGS, $AUR_LOCATION;
> +       global $SUPPORTED_LANGS, $AUR_LOCATION, $BANNED_IPS;
> +
> +       $error = "";
> +
> +       if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) {
> +               $error = __('The login form is currently ' .
> +                       'disabled for your IP address, probably due ' .
> +                       'to sustained spam attacks. Sorry for the ' .
> +                       'inconvenience -- we hope to be back up ' .
> +                       'soon.');
> +       }
>
>         $dbh = DB::connect();
>
> @@ -102,7 +112,6 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
>                 $editor_user = null;
>         }
>
> -       $error = "";
>         if (empty($E) || empty($U)) {
>                 $error = __("Missing a required field.");
>         }
> @@ -393,13 +402,22 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
>   * @return array Session ID for user, error message if applicable
>   */
>  function try_login() {
> -       global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
> +       global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT, $BANNED_IPS;
>
>         $login_error = "";
>         $new_sid = "";
>         $userID = null;
>
>         if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
> +               if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) {
> +                       $login_error = __('The login form is currently ' .
> +                               'disabled for your IP address, probably due ' .
> +                               'to sustained spam attacks. Sorry for the ' .
> +                               'inconvenience -- we hope to be back up ' .
> +                               'soon.');
> +                       return array('SID' => '', 'error' => $login_error);
> +               }
> +
>                 $dbh = DB::connect();
>                 $userID = valid_user($_REQUEST['user']);
>
> diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
> index 1fe7dbc..0422ac5 100644
> --- a/web/lib/config.inc.php.proto
> +++ b/web/lib/config.inc.php.proto
> @@ -59,3 +59,6 @@ $USE_VIRTUAL_URLS = true;
>  # Maximum number of package results to return through an RPC connection.
>  # Avoid setting this too high and having a PHP too much memory error.
>  $MAX_RPC_RESULTS = 5000;
> +
> +# Prevent a list of remote addresses from logging in and creating new accounts.
> +$BANNED_IPS = array();
> --
> 1.8.2.480.g556678c
>

More information about the aur-dev mailing list