Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F36022037
01-T285159-rev3.patch
sbassett (Scott Bassett)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
sbassett
Jan 6 2023, 9:08 PM
2023-01-06 21:08:54 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
01-T285159-rev3.patch
View Options
From 0a741e27bf11cd0001273fe88bdbb6f93d8537d1 Mon Sep 17 00:00:00 2001
From: Ryan Schmidt <skizzerz@skizzerz.net>
Date: Tue, 7 Dec 2021 11:17:02 -0600
Subject: [PATCH] SECURITY: Do not apply autoblocks to untrusted XFF headers
X-Forwarded-For is not necessarily trustworthy and can specify multiple
IP addresses in a single header, all of which are checked for blocks.
When a user is autoblocked, the wiki will create an IP block
behind-the-scenes for that user without exposing the user's IP on-wiki.
However, spoofing XFF would let an attacker guess at the IPs of users
who have active autoblocks, since the block message includes the
username of the original block target.
We still want to apply autoblocks to XFF when it comes from a trusted
proxy server so that autoblocks still work on wikis with reverse proxies
in front of them. However, don't allow potentially-spoofed XFF through
to close up this privacy loophole.
Bug: T285159
---
includes/block/BlockManager.php | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/includes/block/BlockManager.php b/includes/block/BlockManager.php
index af4311b14..6f328fdd4 100644
--- a/includes/block/BlockManager.php
+++ b/includes/block/BlockManager.php
@@ -299,7 +299,15 @@ class BlockManager {
$xff = array_map( 'trim', explode( ',', $xff ) );
$xff = array_diff( $xff, [ $ip ] );
// TODO: remove dependency on DatabaseBlock (T221075)
- return DatabaseBlock::getBlocksForIPList( $xff, $isAnon, $fromPrimary );
+ $xffblocks = DatabaseBlock::getBlocksForIPList( $xff, $isAnon, $fromPrimary );
+
+ // (T285159) Exclude autoblocks from XFF headers to prevent spoofed
+ // headers uncovering the IPs of autoblocked users
+ $xffblocks = array_filter( $xffblocks, static function ( $block ) {
+ return $block->getType() !== Block::TYPE_AUTO;
+ } );
+
+ return $xffblocks;
}
return [];
--
2.37.0 (Apple Git-136)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10074815
Default Alt Text
01-T285159-rev3.patch (1 KB)
Attached To
Mode
T285159: CVE-2023-29141: X-Forwarded-For header allows brute-forcing autoblocked IP addresses
Attached
Detach File
Event Timeline
Log In to Comment