1<?php 2if (!defined('DOKU_INC')) die(); 3 4/** 5 * Hide IP — action component. 6 * 7 * Hooks INIT_LANG_LOAD and rewrites the server-side IP variables so that every 8 * later piece of code — clientIP(), $INPUT->server->str('REMOTE_ADDR'), 9 * changelog writers, page metadata, the mailer's X-Originating-IP header, 10 * AJAX info, etc. — sees a constant placeholder instead of the real address. 11 * 12 * Why a constant ('0.0.0.0') rather than a session-hashed pseudo-IPv6: 13 * - This wiki has no anonymous edits; the username field already 14 * differentiates editors. A pseudo-IP adds no investigative value. 15 * - Less surface area for re-identification attacks. The original anonip 16 * leaked the first IPv4 octet via auth_browseruid(); even the fork's 17 * session-hash variant still depends on session-stability assumptions. 18 * - Page locking is not affected: inc/common.php::lock() writes only the 19 * username when REMOTE_USER is set (which it always will be here), and 20 * unlock() has session_id() as a fallback even when it isn't. 21 * 22 * Note: DOKU_URL / DOKU_BASE are constants defined at init.php:103-104, 23 * before INIT_LANG_LOAD fires. If your wiki relies on trustedproxy-based 24 * SSL detection at runtime (is_ssl() called after init), set $conf['baseurl'] 25 * explicitly so DokuWiki does not consult REMOTE_ADDR for URL construction. 26 */ 27 28use dokuwiki\Extension\ActionPlugin; 29use dokuwiki\Extension\EventHandler; 30use dokuwiki\Extension\Event; 31 32class action_plugin_hideip extends ActionPlugin 33{ 34 /** The placeholder all anonymised reads will return. */ 35 public const PLACEHOLDER_IP = '0.0.0.0'; 36 37 /** 38 * Register event hooks. 39 * 40 * @param EventHandler $controller 41 * @return void 42 */ 43 public function register(EventHandler $controller) 44 { 45 // INIT_LANG_LOAD fires at init.php:233, after the plugin controller and 46 // $INPUT are ready, but before auth_setup() and any page-handling code 47 // reads the client IP. Clobbering here covers every downstream consumer. 48 $controller->register_hook('INIT_LANG_LOAD', 'BEFORE', $this, 'handleAnonymise'); 49 } 50 51 /** 52 * Overwrite REMOTE_ADDR and all forwarding headers with the placeholder. 53 * 54 * @param Event $event unused, dispatch signature only 55 * @param mixed $param unused 56 * @return void 57 */ 58 public function handleAnonymise(Event $event, $param) 59 { 60 // Direct $_SERVER write: DokuWiki's dokuwiki\Input\Server class uses 61 // $access =& $_SERVER (see inc/Input/Server.php), so $INPUT->server 62 // reads pick up the new value without anything else to do. 63 $_SERVER['REMOTE_ADDR'] = self::PLACEHOLDER_IP; 64 65 // Also clear every common forwarding header. inc/Ip.php::clientIps() 66 // walks HTTP_X_FORWARDED_FOR and appends every IP it finds; if we 67 // left these set, the real client address would still leak into 68 // clientIP(false) (multi-IP mode) and into header logs/UIs that 69 // consume those raw values. 70 foreach ( 71 [ 72 'HTTP_X_FORWARDED_FOR', 73 'HTTP_X_REAL_IP', 74 'HTTP_CLIENT_IP', 75 'HTTP_FORWARDED', 76 'HTTP_CF_CONNECTING_IP', // Cloudflare 77 'HTTP_TRUE_CLIENT_IP', // Akamai / Cloudflare Enterprise 78 ] as $header 79 ) { 80 if (isset($_SERVER[$header])) unset($_SERVER[$header]); 81 } 82 } 83} 84