summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2017-09-11 18:59:58 +0200
committerGitHub <noreply@github.com>2017-09-11 18:59:58 +0200
commitce38f8be741a8b618dfac9d2f6f166a6e3954e45 (patch)
tree67c2d67bc1c180bb2be80e12b6d07bf9ef42446f /Bugzilla
parentd3cf76c62299d9ff9e3589a3c159571711d8d186 (diff)
downloadbugzilla-ce38f8be741a8b618dfac9d2f6f166a6e3954e45.tar.gz
bugzilla-ce38f8be741a8b618dfac9d2f6f166a6e3954e45.tar.xz
Bug 1393888 - Write httpd access handler to block by ip address stored in memcached
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/ModPerl.pm3
-rw-r--r--Bugzilla/ModPerl/BlockIP.pm65
2 files changed, 68 insertions, 0 deletions
diff --git a/Bugzilla/ModPerl.pm b/Bugzilla/ModPerl.pm
index 7c367ed2e..142df63d4 100644
--- a/Bugzilla/ModPerl.pm
+++ b/Bugzilla/ModPerl.pm
@@ -19,6 +19,8 @@ use Carp ();
# (and there might be side-effects, since this code is loaded very early in the httpd startup)
use Template ();
+use Bugzilla::ModPerl::BlockIP;
+
sub apache_config {
my ($class, $cgi_path) = @_;
@@ -72,6 +74,7 @@ __DATA__
# the built-in rand(), even though we never use it in Bugzilla itself,
# so we need to srand() both of them.)
PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }"
+PerlAccessHandler Bugzilla::ModPerl::BlockIP
# It is important to specify ErrorDocuments outside of all directories.
# These used to be in .htaccess, but then things like "AllowEncodedSlashes no"
diff --git a/Bugzilla/ModPerl/BlockIP.pm b/Bugzilla/ModPerl/BlockIP.pm
new file mode 100644
index 000000000..4e9a4be5c
--- /dev/null
+++ b/Bugzilla/ModPerl/BlockIP.pm
@@ -0,0 +1,65 @@
+package Bugzilla::ModPerl::BlockIP;
+use 5.10.1;
+use strict;
+use warnings;
+
+use Apache2::RequestRec ();
+use Apache2::Connection ();
+
+use Apache2::Const -compile => qw(OK);
+use Cache::Memcached::Fast;
+
+use constant BLOCK_TIMEOUT => 60*60;
+
+my $MEMCACHED = Bugzilla::Memcached->_new()->{memcached};
+my $STATIC_URI = qr{
+ ^/
+ (?: extensions/[^/]+/web
+ | robots\.txt
+ | __heartbeat__
+ | __lbheartbeat__
+ | __version__
+ | images
+ | skins
+ | js
+ | errors
+ )
+}xms;
+
+sub block_ip {
+ my ($class, $ip) = @_;
+ $MEMCACHED->set("block_ip:$ip" => 1, BLOCK_TIMEOUT) if $MEMCACHED;
+}
+
+sub unblock_ip {
+ my ($class, $ip) = @_;
+ $MEMCACHED->delete("block_ip:$ip") if $MEMCACHED;
+}
+
+sub handler {
+ my $r = shift;
+ return Apache2::Const::OK if $r->uri =~ $STATIC_URI;
+
+ my $ip = $r->headers_in->{'X-Forwarded-For'};
+ if ($ip) {
+ $ip = (split(/\s*,\s*/ms, $ip))[-1];
+ }
+ else {
+ $ip = $r->connection->remote_ip;
+ }
+
+ if ($MEMCACHED && $MEMCACHED->get("block_ip:$ip")) {
+ __PACKAGE__->block_ip($ip);
+ $r->status_line("429 Too Many Requests");
+ # 500 is used here because apache 2.2 doesn't understand 429.
+ # the above line and the return value together mean we produce 429.
+ # Any other variation doesn't work.
+ $r->custom_response(500, "Too Many Requests");
+ return 429;
+ }
+ else {
+ return Apache2::Const::OK;
+ }
+}
+
+1;