2012-04-30 01:15:06 +08:00
|
|
|
<?php
|
2021-05-04 16:29:25 +08:00
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
/**
|
2016-07-11 17:58:15 +08:00
|
|
|
* PrivateBin
|
2012-04-30 01:15:06 +08:00
|
|
|
*
|
|
|
|
* a zero-knowledge paste bin
|
|
|
|
*
|
2016-07-11 17:58:15 +08:00
|
|
|
* @link https://github.com/PrivateBin/PrivateBin
|
2012-04-30 01:15:06 +08:00
|
|
|
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
|
2016-07-19 19:56:52 +08:00
|
|
|
* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
|
2021-04-05 22:44:12 +08:00
|
|
|
* @version 1.3.5
|
2012-04-30 01:15:06 +08:00
|
|
|
*/
|
2016-12-13 01:43:23 +08:00
|
|
|
|
2016-12-13 01:49:08 +08:00
|
|
|
namespace PrivateBin\Persistence;
|
2016-08-09 17:54:42 +08:00
|
|
|
|
|
|
|
use PrivateBin\Configuration;
|
2016-07-21 23:09:48 +08:00
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
/**
|
2016-08-09 17:54:42 +08:00
|
|
|
* TrafficLimiter
|
2012-04-30 01:15:06 +08:00
|
|
|
*
|
|
|
|
* Handles traffic limiting, so no user does more than one call per 10 seconds.
|
|
|
|
*/
|
2016-08-09 17:54:42 +08:00
|
|
|
class TrafficLimiter extends AbstractPersistence
|
2012-04-30 01:15:06 +08:00
|
|
|
{
|
|
|
|
/**
|
2015-08-16 21:55:31 +08:00
|
|
|
* time limit in seconds, defaults to 10s
|
|
|
|
*
|
2012-04-30 01:15:06 +08:00
|
|
|
* @access private
|
|
|
|
* @static
|
|
|
|
* @var int
|
|
|
|
*/
|
|
|
|
private static $_limit = 10;
|
2021-05-04 17:18:06 +08:00
|
|
|
|
2021-05-04 16:29:25 +08:00
|
|
|
/**
|
|
|
|
* listed ips are exempted from limits, defaults to null
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @static
|
|
|
|
* @var array
|
|
|
|
*/
|
|
|
|
private static $_exemptedIp = null;
|
2012-04-30 01:15:06 +08:00
|
|
|
|
2015-09-26 23:57:46 +08:00
|
|
|
/**
|
|
|
|
* key to fetch IP address
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @static
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
private static $_ipKey = 'REMOTE_ADDR';
|
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
/**
|
|
|
|
* set the time limit in seconds
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @static
|
|
|
|
* @param int $limit
|
|
|
|
*/
|
|
|
|
public static function setLimit($limit)
|
|
|
|
{
|
|
|
|
self::$_limit = $limit;
|
|
|
|
}
|
|
|
|
|
2021-05-04 16:29:25 +08:00
|
|
|
/**
|
2021-05-04 17:01:46 +08:00
|
|
|
* set a list of ip(ranges) as string
|
2021-05-04 16:29:25 +08:00
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @static
|
2021-05-04 17:01:46 +08:00
|
|
|
* @param string $exemptedIps
|
2021-05-04 16:29:25 +08:00
|
|
|
*/
|
|
|
|
public static function setExemptedIp($exemptedIp)
|
|
|
|
{
|
|
|
|
self::$_exemptedIp = $exemptedIp;
|
|
|
|
}
|
|
|
|
|
2015-09-26 23:57:46 +08:00
|
|
|
/**
|
|
|
|
* set configuration options of the traffic limiter
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @static
|
2016-08-09 17:54:42 +08:00
|
|
|
* @param Configuration $conf
|
2015-09-26 23:57:46 +08:00
|
|
|
*/
|
2016-08-09 17:54:42 +08:00
|
|
|
public static function setConfiguration(Configuration $conf)
|
2015-09-26 23:57:46 +08:00
|
|
|
{
|
|
|
|
self::setLimit($conf->getKey('limit', 'traffic'));
|
|
|
|
self::setPath($conf->getKey('dir', 'traffic'));
|
2021-05-04 16:29:25 +08:00
|
|
|
self::setExemptedIp($conf->getKey('exemptedIp', 'traffic'));
|
|
|
|
|
2016-07-26 14:19:35 +08:00
|
|
|
if (($option = $conf->getKey('header', 'traffic')) !== null) {
|
2015-09-26 23:57:46 +08:00
|
|
|
$httpHeader = 'HTTP_' . $option;
|
2016-07-26 14:19:35 +08:00
|
|
|
if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {
|
2015-09-26 23:57:46 +08:00
|
|
|
self::$_ipKey = $httpHeader;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2016-08-10 23:41:46 +08:00
|
|
|
* get a HMAC of the current visitors IP address
|
2015-09-26 23:57:46 +08:00
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @static
|
2016-08-10 23:41:46 +08:00
|
|
|
* @param string $algo
|
2015-09-26 23:57:46 +08:00
|
|
|
* @return string
|
|
|
|
*/
|
2016-08-10 23:41:46 +08:00
|
|
|
public static function getHash($algo = 'sha512')
|
2015-09-26 23:57:46 +08:00
|
|
|
{
|
2016-08-10 23:41:46 +08:00
|
|
|
return hash_hmac($algo, $_SERVER[self::$_ipKey], ServerSalt::get());
|
2015-09-26 23:57:46 +08:00
|
|
|
}
|
|
|
|
|
2021-05-06 18:13:03 +08:00
|
|
|
/**
|
|
|
|
* Validate $_ipKey against configured ipranges. If matched ratelimiter will ignore ip
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @static
|
2021-05-06 18:18:44 +08:00
|
|
|
* @param string $ipRange
|
|
|
|
* @return bool
|
2021-05-06 18:13:03 +08:00
|
|
|
*/
|
|
|
|
private static function matchIp($ipRange = null)
|
|
|
|
{
|
|
|
|
// Match $_ipKey to $ipRange and if it matches it will return with a true
|
|
|
|
$address = \IPLib\Factory::addressFromString($_SERVER[self::$_ipKey]);
|
|
|
|
$range = \IPLib\Factory::rangeFromString(trim($ipRange));
|
2021-05-19 14:47:35 +08:00
|
|
|
|
2021-05-22 16:59:47 +08:00
|
|
|
// address could not be parsed, we might not be in IP space and try a string comparison instead
|
|
|
|
if ($address == null) {
|
|
|
|
return $_SERVER[self::$_ipKey] === $ipRange;
|
|
|
|
}
|
|
|
|
// range could not be parsed, possibly an invalid ip range given in config
|
2021-05-19 15:01:45 +08:00
|
|
|
if ($range == null) {
|
|
|
|
return false;
|
|
|
|
}
|
2021-05-19 14:47:35 +08:00
|
|
|
|
2021-05-22 16:59:47 +08:00
|
|
|
// Ip-lib throws an exception when something goes wrong, if so we want to catch it and set contained to false
|
2021-05-19 14:47:35 +08:00
|
|
|
try {
|
|
|
|
return $address->matches($range);
|
|
|
|
} catch (\Exception $e) {
|
2021-05-22 16:59:47 +08:00
|
|
|
// If something is wrong with matching the ip, we assume it doesn't match
|
|
|
|
return false;
|
2021-05-06 18:13:03 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
/**
|
|
|
|
* traffic limiter
|
|
|
|
*
|
|
|
|
* Make sure the IP address makes at most 1 request every 10 seconds.
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @static
|
2018-11-19 20:07:25 +08:00
|
|
|
* @throws \Exception
|
2012-04-30 01:15:06 +08:00
|
|
|
* @return bool
|
|
|
|
*/
|
2015-09-26 23:57:46 +08:00
|
|
|
public static function canPass()
|
2012-04-30 01:15:06 +08:00
|
|
|
{
|
2015-09-26 23:57:46 +08:00
|
|
|
// disable limits if set to less then 1
|
2016-07-26 14:19:35 +08:00
|
|
|
if (self::$_limit < 1) {
|
|
|
|
return true;
|
|
|
|
}
|
2021-05-06 18:18:44 +08:00
|
|
|
|
2021-05-04 16:29:25 +08:00
|
|
|
// Check if $_ipKey is exempted from ratelimiting
|
|
|
|
if (!is_null(self::$_exemptedIp)) {
|
2021-05-04 17:14:11 +08:00
|
|
|
$exIp_array = explode(',', self::$_exemptedIp);
|
2021-05-04 16:29:25 +08:00
|
|
|
foreach ($exIp_array as $ipRange) {
|
2021-05-06 18:18:44 +08:00
|
|
|
if (self::matchIp($ipRange) === true) {
|
2021-05-04 16:29:25 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2013-10-31 06:54:42 +08:00
|
|
|
|
2013-11-01 08:15:14 +08:00
|
|
|
$file = 'traffic_limiter.php';
|
2018-07-29 21:43:28 +08:00
|
|
|
if (self::_exists($file)) {
|
|
|
|
require self::getPath($file);
|
|
|
|
$tl = $GLOBALS['traffic_limiter'];
|
|
|
|
} else {
|
|
|
|
$tl = array();
|
2012-04-30 01:15:06 +08:00
|
|
|
}
|
|
|
|
|
2016-08-10 23:41:46 +08:00
|
|
|
// purge file of expired hashes to keep it small
|
2018-07-29 21:43:28 +08:00
|
|
|
$now = time();
|
2016-07-26 14:19:35 +08:00
|
|
|
foreach ($tl as $key => $time) {
|
|
|
|
if ($time + self::$_limit < $now) {
|
2012-04-30 01:15:06 +08:00
|
|
|
unset($tl[$key]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-29 21:43:28 +08:00
|
|
|
// this hash is used as an array key, hence a shorter algo is used
|
2016-08-10 23:41:46 +08:00
|
|
|
$hash = self::getHash('sha256');
|
|
|
|
if (array_key_exists($hash, $tl) && ($tl[$hash] + self::$_limit >= $now)) {
|
2012-04-30 01:15:06 +08:00
|
|
|
$result = false;
|
|
|
|
} else {
|
2016-08-10 23:41:46 +08:00
|
|
|
$tl[$hash] = time();
|
2016-08-15 22:45:47 +08:00
|
|
|
$result = true;
|
2012-04-30 01:15:06 +08:00
|
|
|
}
|
2013-11-01 08:15:14 +08:00
|
|
|
self::_store(
|
2012-04-30 01:15:06 +08:00
|
|
|
$file,
|
|
|
|
'<?php' . PHP_EOL .
|
2018-07-29 21:43:28 +08:00
|
|
|
'$GLOBALS[\'traffic_limiter\'] = ' . var_export($tl, true) . ';'
|
2012-04-30 01:15:06 +08:00
|
|
|
);
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
}
|