Tony Sidaway wrote:
On 10/17/05, David Gerard <dgerard at gmail.com> wrote:
Note that the NTL problem has been solved (presumably through some horribly ugly special cases in the MediaWiki code) -
My understanding is that NTL passes the client IP via a standard protocol and MediaWiki simply interprets it in the standard manner. The only place where it gets hairy is that, as I understand it, some anonymizing proxies also use this protocol and forward a spoofed IP, so you do need to maintain a list of proxies that can be trusted.
Semi-standard - it uses an X-Forwarded-From header and sometimes it reverses the order of the octets (for no good reason).
That said, I just spotted a MARMOT sock (User:Captain Kreuk and a few others) with his IP showing as the NTL proxy address, not his actual address. Bother.
(cc'd to wikitech-l - is this a reportable bug, or hadn't the NTL-checking code kicked in at that point?)
- d.
David Gerard wrote:
Tony Sidaway wrote:
On 10/17/05, David Gerard <dgerard at gmail.com> wrote:
Note that the NTL problem has been solved (presumably through some horribly ugly special cases in the MediaWiki code) -
It's not an ugly special case, we already used the X-Forwarded-For header to determine the IP address for users editing via our own squids (i.e. everyone). It was just a matter of adding extra trusted proxies, and adding some validation for cases where external proxies randomly send invalid addresses like 127.0.0.1, which unfortunately some of them do.
My understanding is that NTL passes the client IP via a standard protocol and MediaWiki simply interprets it in the standard manner. The only place where it gets hairy is that, as I understand it, some anonymizing proxies also use this protocol and forward a spoofed IP, so you do need to maintain a list of proxies that can be trusted.
No, the problem is not some anonymizing proxies, the problem is that anyone at all could pretend to a proxy, by just typing headers into telnet or netcat.
Semi-standard - it uses an X-Forwarded-From header and sometimes it reverses the order of the octets (for no good reason).
Nothing in MediaWiki should reverse the order of the octets, where have you seen that? Anyway, it is indeed only semi-standard, hence the X prefix. It's a defacto standard promulgated by Squid.
That said, I just spotted a MARMOT sock (User:Captain Kreuk and a few others) with his IP showing as the NTL proxy address, not his actual address. Bother.
(cc'd to wikitech-l - is this a reportable bug, or hadn't the NTL-checking code kicked in at that point?)
It's a bit hard to tell without knowing the IP address and how long ago it occurred.
-- Tim Starling
Semi-standard - it uses an X-Forwarded-From header and sometimes it reverses the order of the octets (for no good reason).
Nothing in MediaWiki should reverse the order of the octets, where have you seen that?
He was referring to the NTL proxies. Half of them reverse the order of the octets of the IP addresses in their X-Forwarded-From header, half of them don't.