[
https://issues.apache.org/jira/browse/JSPWIKI-1183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ulf Dittmer updated JSPWIKI-1183:
---------------------------------
Description:
The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g.
10.0.0.0/8". This is a patch to address this. Sorry that this does not come as
a PR, but the changes are limited in scope.
Additions to pom.xml
{{ <ipaddress.version>5.4.0</ipaddress.version>
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
<version>${ipaddress.version}</version>
</dependency>
}}
Additions to jspwiki-util/pom.xml
{{ <dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
</dependency>}}
Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
This method now checks whether the IP contains a comma, which can happen if the
request goes through more than one proxy. That's not directly related to this
patch, but useful nonetheless.
{{ /**
* returns the remote address by looking into {@code x-forwarded-for}
header or, if unavailable,
* into {@link HttpServletRequest#getRemoteAddr()}.
*
* @param req http request
* @return remote address associated to the request.
*/
public static String getRemoteAddress( final HttpServletRequest req ) {
String realIP = StringUtils.isNotEmpty ( req.getHeader(
"X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
req.getRemoteAddr();
// can be a comma-separated list of IPs
if (realIP.contains(","))
realIP = realIP.substring(realIP.indexOf(","));
return realIP;
}}}
This method is new
{{ /**
* Returns whether or not the IP address of the request equals a given IP,
or is in a given IP range
*
* @param req http request
* @param ipOrRange IP address or IP range to test against
* @return
*/
public static boolean ipIsInRange ( final HttpServletRequest req, final
String ipOrRange ) {
String requestIP = getRemoteAddress(req);
if (ipOrRange.contains("/")) {
IPAddressString testRange = new
IPAddressString(ipOrRange);
return testRange.contains(new
IPAddressString(requestIP));
} else {
return requestIP.equals(ipOrRange);
}
}
}}
Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
Instead of
{{ include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
context.getHttpRequest() ) ) ^ invert;}}
now it should read
{{ include |= HttpUtil.ipIsInRange( context.getHttpRequest(),
ipaddrToCheck ) ^ invert;}}
That's all. Now the IfPlugin accepts something like
[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'
Secret stuff for localhost and local networks}]
was:
The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g.
10.0.0.0/8". This is a patch to address this. Sorry that this does not come as
a PR, but the changes are limited in scope.
Additions to pom.xml
<ipaddress.version>5.4.0</ipaddress.version>
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
<version>${ipaddress.version}</version>
</dependency>
Additions to jspwiki-util/pom.xml
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
</dependency>
Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
This method now checks whether the IP contains a comma, which can happen if the
request goes through more than one proxy. That's not directly related to this
patch, but useful nonetheless.
/**
* returns the remote address by looking into {@code x-forwarded-for}
header or, if unavailable,
* into {@link HttpServletRequest#getRemoteAddr()}.
*
* @param req http request
* @return remote address associated to the request.
*/
public static String getRemoteAddress( final HttpServletRequest req ) {
String realIP = StringUtils.isNotEmpty ( req.getHeader(
"X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
req.getRemoteAddr();
// can be a comma-separated list of IPs
if (realIP.contains(","))
realIP = realIP.substring(realIP.indexOf(","));
return realIP;
}
This method is new
/**
* Returns whether or not the IP address of the request equals a given IP,
or is in a given IP range
*
* @param req http request
* @param ipOrRange IP address or IP range to test against
* @return
*/
public static boolean ipIsInRange ( final HttpServletRequest req, final
String ipOrRange ) {
String requestIP = getRemoteAddress(req);
if (ipOrRange.contains("/")) {
IPAddressString testRange = new
IPAddressString(ipOrRange);
return testRange.contains(new
IPAddressString(requestIP));
} else {
return requestIP.equals(ipOrRange);
}
}
Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
Instead of
include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
context.getHttpRequest() ) ) ^ invert;
now it should read
include |= HttpUtil.ipIsInRange( context.getHttpRequest(),
ipaddrToCheck ) ^ invert;
That's all. Now the IfPlugin accepts something like
[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'
Secret stuff for localhost and local networks}]
> Support IP ranges in IfPlugin
> -----------------------------
>
> Key: JSPWIKI-1183
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1183
> Project: JSPWiki
> Issue Type: Improvement
> Components: Plugins
> Affects Versions: 2.12.1
> Reporter: Ulf Dittmer
> Priority: Minor
>
> The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching,
> e.g. 10.0.0.0/8". This is a patch to address this. Sorry that this does not
> come as a PR, but the changes are limited in scope.
> Additions to pom.xml
> {{ <ipaddress.version>5.4.0</ipaddress.version>
> <dependency>
> <groupId>com.github.seancfoley</groupId>
> <artifactId>ipaddress</artifactId>
> <version>${ipaddress.version}</version>
> </dependency>
> }}
> Additions to jspwiki-util/pom.xml
> {{ <dependency>
> <groupId>com.github.seancfoley</groupId>
> <artifactId>ipaddress</artifactId>
> </dependency>}}
> Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
> This method now checks whether the IP contains a comma, which can happen if
> the request goes through more than one proxy. That's not directly related to
> this patch, but useful nonetheless.
> {{ /**
> * returns the remote address by looking into {@code x-forwarded-for}
> header or, if unavailable,
> * into {@link HttpServletRequest#getRemoteAddr()}.
> *
> * @param req http request
> * @return remote address associated to the request.
> */
> public static String getRemoteAddress( final HttpServletRequest req ) {
> String realIP = StringUtils.isNotEmpty ( req.getHeader(
> "X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
>
> req.getRemoteAddr();
> // can be a comma-separated list of IPs
> if (realIP.contains(","))
> realIP = realIP.substring(realIP.indexOf(","));
> return realIP;
> }}}
> This method is new
> {{ /**
> * Returns whether or not the IP address of the request equals a given
> IP, or is in a given IP range
> *
> * @param req http request
> * @param ipOrRange IP address or IP range to test against
> * @return
> */
> public static boolean ipIsInRange ( final HttpServletRequest req, final
> String ipOrRange ) {
> String requestIP = getRemoteAddress(req);
> if (ipOrRange.contains("/")) {
> IPAddressString testRange = new
> IPAddressString(ipOrRange);
> return testRange.contains(new
> IPAddressString(requestIP));
> } else {
> return requestIP.equals(ipOrRange);
> }
> }
> }}
> Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
> Instead of
> {{ include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
> context.getHttpRequest() ) ) ^ invert;}}
> now it should read
> {{ include |= HttpUtil.ipIsInRange( context.getHttpRequest(),
> ipaddrToCheck ) ^ invert;}}
> That's all. Now the IfPlugin accepts something like
> [{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'
> Secret stuff for localhost and local networks}]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
