Removed IP blacklist for now.

This commit is contained in:
Pachira 2023-01-05 15:56:36 +00:00
parent eafdc28d5e
commit 05766f00e0
10 changed files with 16 additions and 198 deletions

View file

@ -0,0 +1,8 @@
<?php
namespace Misuzu\DatabaseMigrations\RemoveIpBlacklist;
use PDO;
function migrate_up(PDO $conn): void {
$conn->exec('DROP TABLE msz_ip_blacklist;');
}

View file

@ -2,7 +2,6 @@
namespace Misuzu;
use Misuzu\Net\IPAddress;
use Misuzu\Net\IPAddressBlacklist;
use Misuzu\Users\User;
use Misuzu\Users\UserCreationFailedException;
use Misuzu\Users\UserLoginAttempt;
@ -21,8 +20,7 @@ $register = !empty($_POST['register']) && is_array($_POST['register']) ? $_POST[
$notices = [];
$ipAddress = IPAddress::remote();
$remainingAttempts = UserLoginAttempt::remaining();
$restricted = IPAddressBlacklist::check($ipAddress) ? 'blacklist'
: (UserWarning::countByRemoteAddress() > 0 ? 'ban' : '');
$restricted = UserWarning::countByRemoteAddress() > 0 ? 'ban' : '';
while(!$restricted && !empty($register)) {
if(!CSRF::validateRequest()) {

View file

@ -1,51 +0,0 @@
<?php
namespace Misuzu;
use Misuzu\Net\IPAddressBlacklist;
use Misuzu\Users\User;
require_once '../../../misuzu.php';
if(!User::hasCurrent() || !perms_check_user(MSZ_PERMS_GENERAL, User::getCurrent()->getId(), MSZ_PERM_GENERAL_MANAGE_BLACKLIST)) {
echo render_error(403);
return;
}
$notices = [];
if(!empty($_POST)) {
if(!CSRF::validateRequest()) {
$notices[] = 'Verification failed.';
} else {
header(CSRF::header());
if(!empty($_POST['blacklist']['remove']) && is_array($_POST['blacklist']['remove'])) {
foreach($_POST['blacklist']['remove'] as $cidr) {
if(!IPAddressBlacklist::remove($cidr)) {
$notices[] = sprintf('Failed to remove "%s" from the blacklist.', $cidr);
}
}
}
if(!empty($_POST['blacklist']['add']) && is_string($_POST['blacklist']['add'])) {
$cidrs = explode("\n", $_POST['blacklist']['add']);
foreach($cidrs as $cidr) {
$cidr = trim($cidr);
if(empty($cidr)) {
continue;
}
if(!IPAddressBlacklist::add($cidr)) {
$notices[] = sprintf('Failed to add "%s" to the blacklist.', $cidr);
}
}
}
}
}
Template::render('manage.general.blacklist', [
'notices' => $notices,
'blacklist' => IPAddressBlacklist::list(),
]);

View file

@ -139,10 +139,6 @@ $statistics = DB::query('
FROM `msz_forum_topics`
WHERE `topic_locked` IS NOT NULL
) AS `stat_forum_topics_locked`,
(
SELECT COUNT(*)
FROM `msz_ip_blacklist`
) AS `stat_blacklist`,
(
SELECT COUNT(*)
FROM `msz_login_attempts`

View file

@ -1,80 +0,0 @@
<?php
namespace Misuzu\Net;
use Misuzu\DB;
final class IPAddressBlacklist {
public static function check(string $address): bool {
return (bool)DB::prepare("
SELECT INET6_ATON(:address) AS `target`, (
SELECT COUNT(*) > 0
FROM `msz_ip_blacklist`
WHERE LENGTH(`ip_subnet`) = LENGTH(`target`)
AND `ip_subnet` & LPAD('', LENGTH(`ip_subnet`), X'FF') << LENGTH(`ip_subnet`) * 8 - `ip_mask`
= `target` & LPAD('', LENGTH(`ip_subnet`), X'FF') << LENGTH(`ip_subnet`) * 8 - `ip_mask`
)
")->bind('address', $address)
->fetchColumn(1, false);
}
public static function add(string $cidr): bool {
$raw = IPAddress::cidrToRaw($cidr);
if(empty($raw))
return false;
return self::addRaw($raw['subnet'], $raw['mask']);
}
public static function addRaw(string $subnet, ?int $mask = null): bool {
$version = IPAddress::detectRawVersion($subnet);
if($version === IPAddress::VERSION_UNKNOWN)
return false;
$bits = IPAddress::rawWidth($version) * 8;
if(empty($mask)) {
$mask = $bits;
} elseif($mask < 1 || $mask > $bits) {
return false;
}
return DB::prepare('
REPLACE INTO `msz_ip_blacklist` (`ip_subnet`, `ip_mask`)
VALUES (:subnet, :mask)
')->bind('subnet', $subnet)
->bind('mask', $mask)
->execute();
}
public static function remove(string $cidr): bool {
$raw = IPAddress::cidrToRaw($cidr);
if(empty($raw))
return false;
return self::removeRaw($raw['subnet'], $raw['mask']);
}
public static function removeRaw(string $subnet, ?int $mask = null): bool {
return DB::prepare('
DELETE FROM `msz_ip_blacklist`
WHERE `ip_subnet` = :subnet
AND `ip_mask` = :mask
')->bind('subnet', $subnet)
->bind('mask', $mask)
->execute();
}
public static function list(): array {
return DB::query("
SELECT
INET6_NTOA(`ip_subnet`) AS `ip_subnet`,
`ip_mask`,
LENGTH(`ip_subnet`) AS `ip_bytes`,
CONCAT(INET6_NTOA(`ip_subnet`), '/', `ip_mask`) as `ip_cidr`
FROM `msz_ip_blacklist`
")->fetchAll();
}
}

View file

@ -15,8 +15,6 @@ function manage_get_menu(int $userId): array {
$menu['General']['Emoticons'] = url('manage-general-emoticons');
if(perms_check_user(MSZ_PERMS_GENERAL, $userId, MSZ_PERM_GENERAL_MANAGE_CONFIG))
$menu['General']['Settings'] = url('manage-general-settings');
if(perms_check_user(MSZ_PERMS_GENERAL, $userId, MSZ_PERM_GENERAL_MANAGE_BLACKLIST))
$menu['General']['IP Blacklist'] = url('manage-general-blacklist');
if(perms_check_user(MSZ_PERMS_GENERAL, $userId, MSZ_PERM_GENERAL_MANAGE_TWITTER))
$menu['General']['Twitter Connection'] = url('manage-general-twitter');
@ -24,8 +22,6 @@ function manage_get_menu(int $userId): array {
$menu['Users & Roles']['Users'] = url('manage-users');
if(perms_check_user(MSZ_PERMS_USER, $userId, MSZ_PERM_USER_MANAGE_ROLES))
$menu['Users & Roles']['Roles'] = url('manage-roles');
//if(perms_check_user(MSZ_PERMS_USER, $userId, MSZ_PERM_USER_MANAGE_REPORTS))
// $menu['Users & Roles']['Reports'] = url('manage-users-reports');
if(perms_check_user(MSZ_PERMS_USER, $userId, MSZ_PERM_USER_MANAGE_WARNINGS))
$menu['Users & Roles']['Warnings'] = url('manage-users-warnings');
@ -144,11 +140,6 @@ function manage_perms_list(array $rawPerms): array {
'title' => 'Can use experimental features.',
'perm' => MSZ_PERM_GENERAL_IS_TESTER,
],
[
'section' => 'manage-blacklist',
'title' => 'Can manage blacklistings.',
'perm' => MSZ_PERM_GENERAL_MANAGE_BLACKLIST,
],
[
'section' => 'manage-twitter',
'title' => 'Can manage Twitter connection.',

View file

@ -1,12 +1,12 @@
<?php
define('MSZ_PERMS_GENERAL', 'general');
define('MSZ_PERM_GENERAL_CAN_MANAGE', 0x00000001);
define('MSZ_PERM_GENERAL_VIEW_LOGS', 0x00000002);
define('MSZ_PERM_GENERAL_MANAGE_EMOTES', 0x00000004);
define('MSZ_PERM_GENERAL_MANAGE_CONFIG', 0x00000008);
define('MSZ_PERM_GENERAL_IS_TESTER', 0x00000010);
define('MSZ_PERM_GENERAL_MANAGE_BLACKLIST', 0x00000020);
define('MSZ_PERM_GENERAL_MANAGE_TWITTER', 0x00000040);
define('MSZ_PERM_GENERAL_CAN_MANAGE', 0x00000001);
define('MSZ_PERM_GENERAL_VIEW_LOGS', 0x00000002);
define('MSZ_PERM_GENERAL_MANAGE_EMOTES', 0x00000004);
define('MSZ_PERM_GENERAL_MANAGE_CONFIG', 0x00000008);
define('MSZ_PERM_GENERAL_IS_TESTER', 0x00000010);
//define('MSZ_PERM_GENERAL_MANAGE_BLACKLIST', 0x00000020); Blacklist has been removed for now to reduce overhead and because it was broken(?)
define('MSZ_PERM_GENERAL_MANAGE_TWITTER', 0x00000040);
define('MSZ_PERMS_USER', 'user');
define('MSZ_PERM_USER_EDIT_PROFILE', 0x00000001);

View file

@ -91,7 +91,6 @@ define('MSZ_URLS', [
'manage-general-overview' => ['/manage/general'],
'manage-general-logs' => ['/manage/general/logs.php'],
'manage-general-blacklist' => ['/manage/general/blacklist.php'],
'manage-general-twitter' => ['/manage/general/twitter.php'],
'manage-general-emoticons' => ['/manage/general/emoticons.php'],
@ -120,8 +119,6 @@ define('MSZ_URLS', [
'manage-users' => ['/manage/users'],
'manage-user' => ['/manage/users/user.php', ['u' => '<user>']],
'manage-users-reports' => ['/manage/users/reports.php', ['u' => '<user>']],
'manage-users-report' => ['/manage/users/report.php', ['r' => '<report>']],
'manage-users-warnings' => ['/manage/users/warnings.php', ['u' => '<user>']],
'manage-users-warning-delete' => ['/manage/users/warnings.php', ['w' => '<warning>', 'delete' => '1', 'csrf' => '{csrf}']],

View file

@ -1,40 +0,0 @@
{% extends 'manage/general/master.twig' %}
{% from 'macros.twig' import container_title, pagination %}
{% from '_layout/input.twig' import input_csrf, input_text, input_checkbox, input_file, input_select %}
{% block manage_content %}
<div class="container">
{{ container_title('<i class="fas fa-shield-alt fa-fw"></i> IP Blacklist') }}
<div class="manage__description">
Here you can add or remove CIDR ranges to the IP Blacklist, these ranges are allowed to log into the site but cannot create accounts.
</div>
{% if notices|length > 0 %}
<div class="warning">
<div class="warning__content">
{% for notice in notices %}
{{ notice }}
{% endfor %}
</div>
</div>
{% endif %}
<div class="manage__blacklist">
<form action="{{ url('manage-general-blacklist') }}" method="post" class="manage__blacklist__form">
{{ input_csrf() }}
<textarea name="blacklist[add]" class="input__textarea manage__blacklist__textarea" placeholder="Enter CIDR (subnet/mask), each line will be processed. Addresses without a mask will just be blacklisted alone."></textarea>
<button class="input__button input__button--save manage__blacklist__button">Add</button>
</form>
<form action="{{ url('manage-general-blacklist') }}" method="post" class="manage__blacklist__form">
{{ input_csrf() }}
{{ input_select('blacklist[remove][]', blacklist, null, 'ip_cidr', null, true, 'manage__blacklist__select', {
'multiple': true,
'size': 10,
}) }}
<button class="input__button input__button--destroy manage__blacklist__button">Remove</button>
</form>
</div>
</div>
{% endblock %}

View file

@ -30,7 +30,6 @@
'stat_forum_topics_global_announce': 'Global Announcement Forum Topics',
'stat_forum_topics_deleted': 'Deleted Forum Topics',
'stat_forum_topics_locked': 'Locked Forum Topics',
'stat_blacklist': 'Blacklisted IP addresses',
'stat_login_attempts_total': 'Total Login Attempts',
'stat_login_attempts_failed': 'Failed Login Attempts',
'stat_user_sessions': 'Active User Sessions',