Last modified: 2013-05-10 13:45:27 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T36288, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 34288 - Allow blocking private (internal) IPs passed by X-Forwarded-For
Allow blocking private (internal) IPs passed by X-Forwarded-For
Status: NEW
Product: MediaWiki
Classification: Unclassified
User blocking (Other open bugs)
unspecified
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-09 05:13 UTC by Matthew Flaschen
Modified: 2013-05-10 13:45 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Matthew Flaschen 2012-02-09 05:13:03 UTC
This is an import of the feature request at http://meta.wikimedia.org/wiki/XFF_project/RFC_1918.

Some proxies pass an X-Forwarded-For header with an internal IP as value.  If we could block the combination of internal and external (e.g. 10.1.0.0/16 via 62.171.194.4), that would allow us to target particular computers without blocking the whole proxy.

There are several known proxies this applies to (listed at URL above), and probably many more unknown.  Several are schools.  Those alone would provide a significant benefit,
Comment 1 Matthew Flaschen 2013-03-29 20:41:19 UTC
Jasper Deng noted at bug 23343 that this feature could also be useful for [[carrier-grade NAT]]:

"I'd like to add (from the above dup) that it would be useful, especially for
networks using carrier-grade NAT, that we should be able to also base blocks
off of both public-facing and (private) IPs behind, such as blocking
"206.34.7.1/16/xff:10.6.0.0/16" or "206.6.1.8/xff:192.168.2.0/24"."

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links