[aur-dev] [PATCH] Add an IP ban list

Lukas Fleischer archlinux at cryptocrack.de
Tue Mar 19 17:42:39 EDT 2013


On Tue, Mar 19, 2013 at 05:12:23PM -0400, canyonknight wrote:
> On Tue, Mar 19, 2013 at 9:23 AM, Lukas Fleischer
> <archlinux at cryptocrack.de> wrote:
> > This allows for specifying a list of IP addresses that will no longer be
> > able to register new accounts and login. The list of banned IP addresses
> > can be configured in "web/lib/config.inc.php".
> >
> > Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
> > ---
> 
> What are your thoughts on taking this a step further and adding a
> "bans" table to the DB schema? It could eventually be extended to
> allow for TUs and Developers to ban IP addresses directly from the web
> interface without ever having to muck around with the config file.

Exactly what I was planning to do.

We should also display each user's last login IP address in his profile
(only visible to developers and TUs) and add a "Ban this IP address"
button next to it. The "Save last login IP address" patch I submitted
already adds the IP address to the Users table.

Oh, and we might want to exclude TUs and developers from IP bans.

> 
> >  web/lib/acctfuncs.inc.php    | 24 +++++++++++++++++++++---
> >  web/lib/config.inc.php.proto |  3 +++
> >  2 files changed, 24 insertions(+), 3 deletions(-)
> >
> > diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> > index aabb096..c202f47 100644
> > --- a/web/lib/acctfuncs.inc.php
> > +++ b/web/lib/acctfuncs.inc.php
> > @@ -91,7 +91,17 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
> >                         $P="",$C="",$R="",$L="",$I="",$K="",$UID=0) {
> >
> >         # error check and process request for a new/modified account
> > -       global $SUPPORTED_LANGS, $AUR_LOCATION;
> > +       global $SUPPORTED_LANGS, $AUR_LOCATION, $BANNED_IPS;
> > +
> > +       $error = "";
> > +
> > +       if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) {
> > +               $error = __('The login form is currently ' .
> > +                       'disabled for your IP address, probably due ' .
> > +                       'to sustained spam attacks. Sorry for the ' .
> > +                       'inconvenience -- we hope to be back up ' .
> > +                       'soon.');
> > +       }
> >
> >         $dbh = DB::connect();
> >
> > @@ -102,7 +112,6 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
> >                 $editor_user = null;
> >         }
> >
> > -       $error = "";
> >         if (empty($E) || empty($U)) {
> >                 $error = __("Missing a required field.");
> >         }
> > @@ -393,13 +402,22 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
> >   * @return array Session ID for user, error message if applicable
> >   */
> >  function try_login() {
> > -       global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
> > +       global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT, $BANNED_IPS;
> >
> >         $login_error = "";
> >         $new_sid = "";
> >         $userID = null;
> >
> >         if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
> > +               if (in_array($_SERVER['REMOTE_ADDR'], $BANNED_IPS)) {
> > +                       $login_error = __('The login form is currently ' .
> > +                               'disabled for your IP address, probably due ' .
> > +                               'to sustained spam attacks. Sorry for the ' .
> > +                               'inconvenience -- we hope to be back up ' .
> > +                               'soon.');
> > +                       return array('SID' => '', 'error' => $login_error);
> > +               }
> > +
> >                 $dbh = DB::connect();
> >                 $userID = valid_user($_REQUEST['user']);
> >
> > diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
> > index 1fe7dbc..0422ac5 100644
> > --- a/web/lib/config.inc.php.proto
> > +++ b/web/lib/config.inc.php.proto
> > @@ -59,3 +59,6 @@ $USE_VIRTUAL_URLS = true;
> >  # Maximum number of package results to return through an RPC connection.
> >  # Avoid setting this too high and having a PHP too much memory error.
> >  $MAX_RPC_RESULTS = 5000;
> > +
> > +# Prevent a list of remote addresses from logging in and creating new accounts.
> > +$BANNED_IPS = array();
> > --
> > 1.8.2.480.g556678c
> >


More information about the aur-dev mailing list