|
@@ -46,24 +46,22 @@ func (wc *webircConfig) Populate() (err error) {
|
46
|
46
|
}
|
47
|
47
|
|
48
|
48
|
// ApplyProxiedIP applies the given IP to the client.
|
49
|
|
-func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls bool) (success bool) {
|
|
49
|
+func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls bool) (err error, quitMsg string) {
|
50
|
50
|
// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself
|
51
|
51
|
// is whitelisted:
|
52
|
52
|
if client.isTor {
|
53
|
|
- return false
|
|
53
|
+ return errBadProxyLine, ""
|
54
|
54
|
}
|
55
|
55
|
|
56
|
56
|
// ensure IP is sane
|
57
|
57
|
parsedProxiedIP := net.ParseIP(proxiedIP).To16()
|
58
|
58
|
if parsedProxiedIP == nil {
|
59
|
|
- client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP), session)
|
60
|
|
- return false
|
|
59
|
+ return errBadProxyLine, fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP)
|
61
|
60
|
}
|
62
|
61
|
|
63
|
62
|
isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
|
64
|
63
|
if isBanned {
|
65
|
|
- client.Quit(banMsg, session)
|
66
|
|
- return false
|
|
64
|
+ return errBanned, banMsg
|
67
|
65
|
}
|
68
|
66
|
|
69
|
67
|
// given IP is sane! override the client's current IP
|
|
@@ -84,7 +82,7 @@ func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls boo
|
84
|
82
|
client.certfp = ""
|
85
|
83
|
client.SetMode(modes.TLS, tls)
|
86
|
84
|
|
87
|
|
- return true
|
|
85
|
+ return nil, ""
|
88
|
86
|
}
|
89
|
87
|
|
90
|
88
|
// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
@@ -93,9 +91,13 @@ func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls boo
|
93
|
91
|
// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,
|
94
|
92
|
// the message is invalid IRC and can't be parsed normally, hence the special handling.
|
95
|
93
|
func handleProxyCommand(server *Server, client *Client, session *Session, line string) (err error) {
|
|
94
|
+ var quitMsg string
|
96
|
95
|
defer func() {
|
97
|
96
|
if err != nil {
|
98
|
|
- client.Quit(client.t("Bad or unauthorized PROXY command"), session)
|
|
97
|
+ if quitMsg == "" {
|
|
98
|
+ quitMsg = client.t("Bad or unauthorized PROXY command")
|
|
99
|
+ }
|
|
100
|
+ client.Quit(quitMsg, session)
|
99
|
101
|
}
|
100
|
102
|
}()
|
101
|
103
|
|
|
@@ -106,13 +108,10 @@ func handleProxyCommand(server *Server, client *Client, session *Session, line s
|
106
|
108
|
|
107
|
109
|
if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {
|
108
|
110
|
// assume PROXY connections are always secure
|
109
|
|
- if client.ApplyProxiedIP(session, params[2], true) {
|
110
|
|
- return nil
|
111
|
|
- } else {
|
112
|
|
- return errBadProxyLine
|
113
|
|
- }
|
|
111
|
+ err, quitMsg = client.ApplyProxiedIP(session, params[2], true)
|
|
112
|
+ return
|
|
113
|
+ } else {
|
|
114
|
+ // real source IP is not authorized to issue PROXY:
|
|
115
|
+ return errBadGatewayAddress
|
114
|
116
|
}
|
115
|
|
-
|
116
|
|
- // real source IP is not authorized to issue PROXY:
|
117
|
|
- return errBadGatewayAddress
|
118
|
117
|
}
|