[
https://issues.apache.org/jira/browse/JSPWIKI-1183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ulf Dittmer updated JSPWIKI-1183:
---------------------------------
Description:
The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g.
10.0.0.0/8". This is a patch to address this. Sorry that this does not come as
a PR, but the changes are limited in scope.
Additions to pom.xml
<ipaddress.version>5.4.0</ipaddress.version>
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
<version>${ipaddress.version}</version>
</dependency>
Additions to jspwiki-util/pom.xml
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
</dependency>
Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
This method now checks whether the IP contains a comma, which can happen if the
request goes through more than one proxy.
That's not directly related to this patch, but useful nonetheless.
/**
* returns the remote address by looking into \{@code x-forwarded-for}
header or, if unavailable,
* into \{@link HttpServletRequest#getRemoteAddr()}.
*
* @param req http request
* @return remote address associated to the request.
*/
public static String getRemoteAddress( final HttpServletRequest req ) {
String realIP = StringUtils.isNotEmpty ( req.getHeader(
"X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
req.getRemoteAddr();
// can be a comma-separated list of IPs
if (realIP.contains(","))
realIP = realIP.substring(realIP.indexOf(","));
return realIP;
}
This method is new
/**
* Returns whether or not the IP address of the request equals a given IP,
or is in a given IP range
*
* @param req http request
* @param ipOrRange IP address or IP range to test against
* @return
*/
public static boolean ipIsInRange ( final HttpServletRequest req, final
String ipOrRange ) {
String requestIP = getRemoteAddress(req);
if (ipOrRange.contains("/")) {
IPAddressString testRange = new IPAddressString(ipOrRange);
return testRange.contains(new IPAddressString(requestIP));
} else {
return requestIP.equals(ipOrRange);
}
}
Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
Instead of
include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
context.getHttpRequest() ) ) ^ invert;
now it should read
include |= HttpUtil.ipIsInRange( context.getHttpRequest(),
ipaddrToCheck ) ^ invert;
That's all. Now the IfPlugin accepts something like
[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'
Secret stuff for localhost}]
was:
The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching, e.g.
10.0.0.0/8". This is a patch to address this. Sorry that this does not come as
a PR, but the changes are limited in scope.
Additions to pom.xml
{{{}<ipaddress.version>5.4.0</ipaddress.version>{}}}{{{}<dependency>{}}}
{{<groupId>com.github.seancfoley</groupId>}}
{{<artifactId>ipaddress</artifactId>}}
{{<version>${ipaddress.version}</version>}}
{{</dependency>}}
{{Additions to jspwiki-util/pom.xml}}
{{<dependency>}}
{{<groupId>com.github.seancfoley</groupId>}}
{{<artifactId>ipaddress</artifactId>}}
{{</dependency>}}
Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
This method now checks whether the IP contains a comma, which can happen if the
request goes through more than one proxy. That's not directly related to this
patch, but useful nonetheless.
{{ /**}}
{{ * returns the remote address by looking into \{@code x-forwarded-for}
header or, if unavailable,}}
{{ * into \{@link HttpServletRequest#getRemoteAddr()}.}}
{{ *}}
{{ * @param req http request}}
{{ * @return remote address associated to the request.}}
{{ */}}
{{ public static String getRemoteAddress( final HttpServletRequest req ) {}}
{{ String realIP = StringUtils.isNotEmpty ( req.getHeader(
"X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :}}
{{
req.getRemoteAddr();}}
{{ // can be a comma-separated list of IPs}}
{{ if (realIP.contains(","))}}
{{ realIP = realIP.substring(realIP.indexOf(","));}}{{ return
realIP;}}
{{ }}}
This method is new
{{ /**}}
{{ * Returns whether or not the IP address of the request equals a given
IP, or is in a given IP range}}
{{ *}}
{{ * @param req http request}}
{{ * @param ipOrRange IP address or IP range to test against}}
{{ * @return }}
{{ */}}
{{ public static boolean ipIsInRange ( final HttpServletRequest req, final
String ipOrRange ) {}}
{{ String requestIP = getRemoteAddress(req);}}
{{ if (ipOrRange.contains("/")) {}}
{{ IPAddressString testRange = new IPAddressString(ipOrRange);}}
{{ return testRange.contains(new IPAddressString(requestIP));}}
{{ } else {}}
{{ return requestIP.equals(ipOrRange);}}
{{ }}}
{{ }}}
Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
{{Instead of}}
{{include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
context.getHttpRequest() ) ) ^ invert;}}
now it should read
{{include |= HttpUtil.ipIsInRange( context.getHttpRequest(), ipaddrToCheck ) ^
invert;}}
That's all. Now the IfPlugin accepts something like
{{{}[{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'{}}}{{{}Secret stuff for
localhost and local networks}]{}}}
> Support IP ranges in IfPlugin
> -----------------------------
>
> Key: JSPWIKI-1183
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1183
> Project: JSPWiki
> Issue Type: Improvement
> Components: Plugins
> Affects Versions: 2.12.1
> Reporter: Ulf Dittmer
> Priority: Minor
>
> The IfPlugin.checkIP method has a comment "TODO: Add subnetwork matching,
> e.g. 10.0.0.0/8". This is a patch to address this. Sorry that this does not
> come as a PR, but the changes are limited in scope.
> Additions to pom.xml
> <ipaddress.version>5.4.0</ipaddress.version>
> <dependency>
> <groupId>com.github.seancfoley</groupId>
> <artifactId>ipaddress</artifactId>
> <version>${ipaddress.version}</version>
> </dependency>
> Additions to jspwiki-util/pom.xml
> <dependency>
> <groupId>com.github.seancfoley</groupId>
> <artifactId>ipaddress</artifactId>
> </dependency>
> Changes in jspwiki-util/src/main/java/org/apache/wiki/util/HttpUtil.java
> This method now checks whether the IP contains a comma, which can happen if
> the request goes through more than one proxy.
> That's not directly related to this patch, but useful nonetheless.
> /**
> * returns the remote address by looking into \{@code x-forwarded-for}
> header or, if unavailable,
> * into \{@link HttpServletRequest#getRemoteAddr()}.
> *
> * @param req http request
> * @return remote address associated to the request.
> */
> public static String getRemoteAddress( final HttpServletRequest req ) {
> String realIP = StringUtils.isNotEmpty ( req.getHeader(
> "X-Forwarded-For" ) ) ? req.getHeader( "X-Forwarded-For" ) :
>
> req.getRemoteAddr();
> // can be a comma-separated list of IPs
> if (realIP.contains(","))
> realIP = realIP.substring(realIP.indexOf(","));
> return realIP;
> }
> This method is new
> /**
> * Returns whether or not the IP address of the request equals a given
> IP, or is in a given IP range
> *
> * @param req http request
> * @param ipOrRange IP address or IP range to test against
> * @return
> */
> public static boolean ipIsInRange ( final HttpServletRequest req, final
> String ipOrRange ) {
> String requestIP = getRemoteAddress(req);
> if (ipOrRange.contains("/")) {
> IPAddressString testRange = new IPAddressString(ipOrRange);
> return testRange.contains(new IPAddressString(requestIP));
> } else {
> return requestIP.equals(ipOrRange);
> }
> }
> Changes in jspwiki-main/src/main/java/org/apache/wiki/plugin/IfPlugin.java
> Instead of
> include |= ipaddrToCheck.equals( HttpUtil.getRemoteAddress(
> context.getHttpRequest() ) ) ^ invert;
> now it should read
> include |= HttpUtil.ipIsInRange( context.getHttpRequest(),
> ipaddrToCheck ) ^ invert;
> That's all. Now the IfPlugin accepts something like
> [{If ip='192.168.0.0/16|10.0.0.0/8|127.0.0.1'
> Secret stuff for localhost}]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
