Comments (9)
From r.wetzlmayr on July 08, 2009 04:39:33
This issue was closed by r3247 .
Status: Fixed
from textpattern.
From r.wetzlmayr on August 01, 2009 17:19:09
X_HTTP_FORWARDED_FOR is spoofable and thus an untrusted source to base IP-based bans
upon.
Status: Confirmed
Owner: ---
from textpattern.
Banning based on IP address will become more problematic in the future:
The largest ISP in the Netherlands has started using DS-Lite for new customers, which means you're getting an IPv6 range + a single private range IPv4 address which connects to the IPv4 internet via a carrier grade NAT system. So there will be multiple customers sharing the same public IPv4 address when visiting a IPv4-only websites.
And when you do visit a website via IPv6, which address are you going to ban? Customers get at least a /64 range. You can ban the entire range, which would be fine for a consumer (using privacy extensions, a seemingly random address from that range would be used), but not when it concerns a business client which uses a /64 for its internal network.
The fun doesn't end there... depending on the ISP, customers might even get a /56 or /48 range. How would you distinguish between /64 customers and /48 customers? If you assume the customer has a /48, you could end up banning 65 thousand customers who in reality have a /64. The other way around, you'd block only a fraction of the address space available to the spammer.
from textpattern.
I've never liked banning based on IP. It often backfires, as you say, when you ban legit people who get an address from an ISP pool.
I use Tor or JonDo or OpenVPN depending on my mood and I doubt I'm the only one :-) So there must be a whole bunch of people on the "same IP address" at different times of the day.
More intelligent filtering (there are many plugins already) is surely a better way to handle it than the fire-and-hope method of blocking an IP address? If it was up to me I'd drop the ban-by-IP feature altogether.
from textpattern.
If it was up to me I'd drop the ban-by-IP feature altogether.
+1
from textpattern.
Fine by me, I vote to get rid of it. One less thing to support going forward.
from textpattern.
Can we sneak removal of the IP ban system into 4.6 do you think? Or leave it for now?
Either way, do we just ditch it wholesale (txp_discuss_ipban table, UI elements, and verification while commenting) or do we take a phased approach? Like maybe dropping the UI elements and issuing a deprecation warning when visiting the ipban panel, but leaving the table and comment verification in place until a later release so at least filtering still "works" for the time being?
from textpattern.
Personally I haven't used it ever. So I'd propose to
- add a few voices from the forum
- remove it entirely unless someone comes up with a convincing argument
from textpattern.
I've requested input on the forum:
http://forum.textpattern.com/viewtopic.php?pid=295944
from textpattern.
Related Issues (20)
- Update HISTORY and/or README.md that Textpattern will not run as expected with PHP 8.3.0 under some circumstances. HOT 2
- Prep work and actions for MySQL 8.3 support
- Progressively get rid of MD5 HOT 2
- jQuery 4.0.0 is coming soon HOT 2
- How to customize <title></title> HOT 1
- how to install EDITOR HOT 2
- Safari 15.7 / iOS 15 preview text view not loading HOT 2
- Show spam form action (or rather page URL) is not updated on clear search HOT 6
- Function strftime() has been DEPRECATED as of PHP 8.1.0 but is still used in safe_strftime HOT 8
- Textpattern 4.9.0 release flight plan HOT 17
- Incorrect layout on the plugins panel HOT 3
- RFC: Textpattern 4.9 is final 4.x release; Textpattern 5.0 next 'big' release HOT 6
- Edit file / missing file: non functional “delete” button
- Edit file / missing file: SQL error and warning when pressing ‘save’ HOT 1
- Edit file panel - some HTML & layout issues HOT 1
- utf8_en/decode() are deprecated in PHP 8.2 HOT 7
- PHP 8.4 compatibility tracking HOT 4
- Articles with status 'Hidden' do not return a `404 Not Found` response when requested but a `200 OK` HOT 1
- RFC: would `htmz` solve any problems? HOT 1
- Form names may contain hyphens or other 'strange' characters. Such form names do not work as 'txp::' shortcuts. HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from textpattern.