Page MenuHomePhabricator

Unable to block large IPv4 /8 ranges
Closed, ResolvedPublic

Description

On an external MW installation (ver 1.17.0), the parm re max range has been changed as follows:
$wgBlockCIDRLimit = array (

'IPv4' => 8,
'IPv6' => 19, # 2^109 = ~6.5x10^32 addresses

);

Applied one /8 hard block. Block log and block list are ok. However certain IP's from that range still succeed to register new accounts.

Because of bug 41778 the fields "ipb_range_start" and "ipb_range_end" have been checked. They are of the type "tinyblob".

So it might be that somewhere a routine cannot handle the diff between hi and lo of that range (i.e. 16777216) because a variable has been declared as a 16 bit integer or something like that.

Obviously would never be discovered on WMF wikis because max block range is /16


Version: 1.17.x
Severity: normal

Details

Reference
bz42303

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:48 AM
bzimport set Reference to bz42303.
bzimport added a subscriber: Unknown Object (MLST).

Have you checked if this problem still happens with a supported version of MediaWiki (if so, which version)?

RonaldB: Could you answer comment 1, please?

@Andre Klapper,

No. Is existing installation and I don't have control re that aspect myself.

But doubt whether this is version specific. As Wikipedia etc. is restricted to blocking /16 ranges at the largest, I fear that the blocking functionality for larger ranges (e.g. /8) has not been tested for ages.

The work-around is obviously breaking down large ranges into (quite a number) of smaller ones.

Btw: reason for interest to block large ranges is spam from countries (e.g. CN) that would never be interested to edit any page on that particular wiki.

tstarling claimed this task.
tstarling subscribed.

In 1.17:

		# Only scan ranges which start in this /16, this improves search speed
		# Blocks should not cross a /16 boundary.
		$range = substr( $iaddr, 0, 4 );

Currently:

	/**
	 * Get the component of an IP address which is certain to be the same between an IP
	 * address and a range block containing that IP address.
	 *
	 * @param string $hex Hexadecimal IP representation
	 * @return string
	 */
	private function getIpFragment( $hex ) {
		$blockCIDRLimit = $this->options->get( MainConfigNames::BlockCIDRLimit );
		if ( str_starts_with( $hex, 'v6-' ) ) {
			return 'v6-' . substr( substr( $hex, 3 ), 0, (int)floor( $blockCIDRLimit['IPv6'] / 4 ) );
		} else {
			return substr( $hex, 0, (int)floor( $blockCIDRLimit['IPv4'] / 4 ) );
		}
	}

So indeed there was such a bug in 1.17 but it should be fixed now.