0
/
leftypol_lainchan
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Protect IPs in public moderation logs. 

As reported, IPv6 addresses were not properly hidden in the public
facing moderation logs. This commit filters both IPv4 and IPv6
addresses.

We broke out into a separate function so that it can be tested with
the test suite.

A rudimentary test has been added to test the newly added
protect_ip($entry) function.
This commit is contained in:
Dedushka 2021-01-17 13:03:17 -05:00
parent 01dfb1850a
commit 6d43a7f62b
No known key found for this signature in database
GPG Key ID: DC969A6BA7657A70
2 changed files with 626 additions and 588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
inc/mod/pages.php
View File

@ -704,6 +704,16 @@ function mod_user_log($username, $page_no = 1) {
mod_page(_('Moderation log'), 'mod/log.html', array('logs' => $logs, 'count' => $count, 'username' => $username));
}
function protect_ip($entry) {
$ipv4_regex = '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';
$ipv6_regex = '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))';
$ipv4_link_regex = '/(?:<a href="\?\/IP\/'. $ipv4_regex . '">)?(' . $ipv4_regex . ')(?:<\/a>)?/';
$ipv6_link_regex = '/(?:<a href="\?\/IP\/'. $ipv6_regex . '">)?(' . $ipv6_regex . ')(?:<\/a>)?/';
return preg_replace(array($ipv4_link_regex, $ipv6_link_regex), "xxxx", $entry);
}
function mod_board_log($board, $page_no = 1, $hide_names = false, $public = false) {
global $config;
@ -724,11 +734,8 @@ function mod_board_log($board, $page_no = 1, $hide_names = false, $public = fals
error($config['error']['404']);
if (!hasPermission($config['mod']['show_ip'])) {
// Supports ipv4 only!
foreach ($logs as $i => &$log) {
$log['text'] = preg_replace_callback('/(?:<a href="\?\/IP\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}">)?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:<\/a>)?/', function($matches) {
return "xxxx";//less_ip($matches[1]);
}, $log['text']);
$log['text'] = protect_ip($log['text']);
}
}
@ -2013,18 +2020,18 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . link_for($post) . '#' . $postID, true, $config['redirect_http']);
} else {
// Remove modifiers
$post['body_nomarkup'] = remove_modifiers($post['body_nomarkup']);
//$post['body_nomarkup'] = remove_modifiers($post['body_nomarkup']);
$post['body_nomarkup'] = utf8tohtml($post['body_nomarkup']);
$post['body'] = utf8tohtml($post['body']);
if ($config['minify_html']) {
//$post['body_nomarkup'] = utf8tohtml($post['body_nomarkup']);
//$post['body'] = utf8tohtml($post['body']);
/*if ($config['minify_html']) {
$post['body_nomarkup'] = str_replace("\n", '&#010;', $post['body_nomarkup']);
$post['body'] = str_replace("\n", '&#010;', $post['body']);
$post['body_nomarkup'] = str_replace("\r", '', $post['body_nomarkup']);
$post['body'] = str_replace("\r", '', $post['body']);
$post['body_nomarkup'] = str_replace("\t", '&#09;', $post['body_nomarkup']);
$post['body'] = str_replace("\t", '&#09;', $post['body']);
}
}*/
mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post));
}
@ -3504,4 +3511,3 @@ function mod_debug_apc() {
mod_page(_('Debug: APC'), 'mod/debug/apc.html', array('cached_vars' => $cached_vars));
}

32
tests/ProtectIPTest.php Normal file
View File

@ -0,0 +1,32 @@
<?php
use PHPUnit\Framework\TestCase;
ob_start();
define('TINYBOARD', true);
require_once "inc/mod/pages.php";
ob_end_clean();
// This is probably best done with property testing library, but let's
// wait add another dependency
final class ProtectIPTest extends TestCase
{
public function testProtectsIpv4Address(){
$expected = 'Some ban message: xxxx';
// Random IP, hope it's not yours
$input = 'Some ban message: <a href="?/IP/33.57.252.246">33.57.252.246</a>';
$output = protect_ip($input);
$this->assertEquals($output, $expected);
}
public function testProtectsIpv6Address(){
$expected = 'Some ban message: xxxx';
// Random IP, hope it's not yours
$input = 'Some ban message: <a href="?/IP/5e85:f252:9baf:2131:8984:6ab2:3db0:fa48">5e85:f252:9baf:2131:8984:6ab2:3db0:fa48</a>';
$output = protect_ip($input);
$this->assertEquals($output, $expected);
}
}