[
https://issues.apache.org/jira/browse/JSPWIKI-1183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ulf Dittmer updated JSPWIKI-1183:
---------------------------------
Description:
The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g.
10.0.0.0/8". This is a patch to address this. Sorry that this does not come as
a PR, but the changes are limited in scope.
Additions to pom.xml
{{{}<ipaddress.version>5.4.0</ipaddress.version>{}}}{{{}<dependency>{}}}
{{<groupId>com.github.seancfoley</groupId>}}
{{<artifactId>ipaddress</artifactId>}}
{{<version>${ipaddress.version}</version>}}
{{</dependency>}}
{{Additions to jspwiki-util/pom.xml}}
{{<dependency>}}
{{<groupId>com.github.seancfoley</groupId>}}
{{<artifactId>ipaddress</artifactId>}}
{{</dependency>}}
Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
This method now checks whether the IP contains a comma, which can happen if the
request goes through more than one proxy. That's not directly related to this
patch, but useful nonetheless.
{{ /**}}
{{ * returns the remote address by looking into \{@code x-forwarded-for}
header or, if unavailable,}}
{{ * into \{@link HttpServletRequest#getRemoteAddr()}.}}
{{ *}}
{{ * @param req http request}}
{{ * @return remote address associated to the request.}}
{{ */}}
{{ public static String getRemoteAddress( final HttpServletRequest req ) {}}
{{ String realIP = StringUtils.isNotEmpty ( req.getHeader(
"X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :}}
{{
req.getRemoteAddr();}}
{{ // can be a comma-separated list of IPs}}
{{ if (realIP.contains(","))}}
{{ realIP = realIP.substring(realIP.indexOf(","));}}{{ return
realIP;}}
{{ }}}
This method is new
{{ /**}}
{{ * Returns whether or not the IP address of the request equals a given
IP, or is in a given IP range}}
{{ *}}
{{ * @param req http request}}
{{ * @param ipOrRange IP address or IP range to test against}}
{{ * @return }}
{{ */}}
{{ public static boolean ipIsInRange ( final HttpServletRequest req, final
String ipOrRange ) {}}
{{ String requestIP = getRemoteAddress(req);}}
{{ if (ipOrRange.contains("/")) {}}
{{ IPAddressString testRange = new IPAddressString(ipOrRange);}}
{{ return testRange.contains(new IPAddressString(requestIP));}}
{{ } else {}}
{{ return requestIP.equals(ipOrRange);}}
{{ }}}
{{ }}}
Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
{{Instead of}}
{{include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
context.getHttpRequest() ) ) ^ invert;}}
now it should read
{{include |= HttpUtil.ipIsInRange( context.getHttpRequest(), ipaddrToCheck ) ^
invert;}}
That's all. Now the IfPlugin accepts something like
{{{}[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'{}}}{{{}Secret stuff for
localhost and local networks}]{}}}
was:
The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g.
10.0.0.0/8". This is a patch to address this. Sorry that this does not come as
a PR, but the changes are limited in scope.
Additions to pom.xml
{{ <ipaddress.version>5.4.0</ipaddress.version>
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
<version>${ipaddress.version}</version>
</dependency>
}}
Additions to jspwiki-util/pom.xml
{{ <dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
</dependency>}}
Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
This method now checks whether the IP contains a comma, which can happen if the
request goes through more than one proxy. That's not directly related to this
patch, but useful nonetheless.
{{ /**
* returns the remote address by looking into {@code x-forwarded-for}
header or, if unavailable,
* into {@link HttpServletRequest#getRemoteAddr()}.
*
* @param req http request
* @return remote address associated to the request.
*/
public static String getRemoteAddress( final HttpServletRequest req ) {
String realIP = StringUtils.isNotEmpty ( req.getHeader(
"X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
req.getRemoteAddr();
// can be a comma-separated list of IPs
if (realIP.contains(","))
realIP = realIP.substring(realIP.indexOf(","));
return realIP;
}}}
This method is new
{{ /**
* Returns whether or not the IP address of the request equals a given IP,
or is in a given IP range
*
* @param req http request
* @param ipOrRange IP address or IP range to test against
* @return
*/
public static boolean ipIsInRange ( final HttpServletRequest req, final
String ipOrRange ) {
String requestIP = getRemoteAddress(req);
if (ipOrRange.contains("/")) {
IPAddressString testRange = new
IPAddressString(ipOrRange);
return testRange.contains(new
IPAddressString(requestIP));
} else {
return requestIP.equals(ipOrRange);
}
}
}}
Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
Instead of
{{ include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
context.getHttpRequest() ) ) ^ invert;}}
now it should read
{{ include |= HttpUtil.ipIsInRange( context.getHttpRequest(),
ipaddrToCheck ) ^ invert;}}
That's all. Now the IfPlugin accepts something like
[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'
Secret stuff for localhost and local networks}]
> Support IP ranges in IfPlugin
> -----------------------------
>
> Key: JSPWIKI-1183
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1183
> Project: JSPWiki
> Issue Type: Improvement
> Components: Plugins
> Affects Versions: 2.12.1
> Reporter: Ulf Dittmer
> Priority: Minor
>
> The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching,
> e.g. 10.0.0.0/8". This is a patch to address this. Sorry that this does not
> come as a PR, but the changes are limited in scope.
> Additions to pom.xml
> {{{}<ipaddress.version>5.4.0</ipaddress.version>{}}}{{{}<dependency>{}}}
> {{<groupId>com.github.seancfoley</groupId>}}
> {{<artifactId>ipaddress</artifactId>}}
> {{<version>${ipaddress.version}</version>}}
> {{</dependency>}}
> {{Additions to jspwiki-util/pom.xml}}
> {{<dependency>}}
> {{<groupId>com.github.seancfoley</groupId>}}
> {{<artifactId>ipaddress</artifactId>}}
> {{</dependency>}}
> Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
> This method now checks whether the IP contains a comma, which can happen if
> the request goes through more than one proxy. That's not directly related to
> this patch, but useful nonetheless.
> {{ /**}}
> {{ * returns the remote address by looking into \{@code x-forwarded-for}
> header or, if unavailable,}}
> {{ * into \{@link HttpServletRequest#getRemoteAddr()}.}}
> {{ *}}
> {{ * @param req http request}}
> {{ * @return remote address associated to the request.}}
> {{ */}}
> {{ public static String getRemoteAddress( final HttpServletRequest req )
> {}}
> {{ String realIP = StringUtils.isNotEmpty ( req.getHeader(
> "X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :}}
> {{
> req.getRemoteAddr();}}
> {{ // can be a comma-separated list of IPs}}
> {{ if (realIP.contains(","))}}
> {{ realIP = realIP.substring(realIP.indexOf(","));}}{{
> return realIP;}}
> {{ }}}
>
> This method is new
> {{ /**}}
> {{ * Returns whether or not the IP address of the request equals a given
> IP, or is in a given IP range}}
> {{ *}}
> {{ * @param req http request}}
> {{ * @param ipOrRange IP address or IP range to test against}}
> {{ * @return }}
> {{ */}}
> {{ public static boolean ipIsInRange ( final HttpServletRequest req, final
> String ipOrRange ) {}}
> {{ String requestIP = getRemoteAddress(req);}}
> {{ if (ipOrRange.contains("/")) {}}
> {{ IPAddressString testRange = new IPAddressString(ipOrRange);}}
> {{ return testRange.contains(new IPAddressString(requestIP));}}
> {{ } else {}}
> {{ return requestIP.equals(ipOrRange);}}
> {{ }}}
> {{ }}}
>
> Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
> {{Instead of}}
> {{include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
> context.getHttpRequest() ) ) ^ invert;}}
> now it should read
> {{include |= HttpUtil.ipIsInRange( context.getHttpRequest(), ipaddrToCheck )
> ^ invert;}}
> That's all. Now the IfPlugin accepts something like
> {{{}[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'{}}}{{{}Secret stuff for
> localhost and local networks}]{}}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
