libraries/ip_allow_deny.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This library is used with the server IP allow/deny host authentication
   5  * feature
   6  *
   7  * @todo Broken for IPv6
   8  *
   9  * @package phpMyAdmin
  10  */
  11
  12
  13 /**
  14  * Gets the "true" IP address of the current user
  15  *
  16  * @return  string   the ip of the user
  17  *
  18  * @access  private
  19  */
  20 function PMA_getIp()
  21 {
  22     /* Get the address of user */
  23     if (!empty($_SERVER['REMOTE_ADDR'])) {
  24         $direct_ip = $_SERVER['REMOTE_ADDR'];
  25     } else {
  26         /* We do not know remote IP */
  27         return false;
  28     }
  29
  30     /* Do we trust this IP as a proxy? If yes we will use it's header. */
  31     if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
  32         $trusted_header_value = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
  33         $matches = array();
  34         // the $ checks that the header contains only one IP address, ?: makes sure the () don't capture
  35         $is_ip = preg_match('|^(?:[0-9]{1,3}\.){3,3}[0-9]{1,3}$|', $trusted_header_value, $matches);
  36         if ($is_ip && (count($matches) == 1)) {
  37             // True IP behind a proxy
  38             return $matches[0];
  39         }
  40     }
  41
  42     /* Return true IP */
  43     return $direct_ip;
  44 } // end of the 'PMA_getIp()' function
  45
  46
  47 /**
  48  * Based on IP Pattern Matcher
  49  * Originally by J.Adams <jna@retina.net>
  50  * Found on <http://www.php.net/manual/en/function.ip2long.php>
  51  * Modified for phpMyAdmin
  52  *
  53  * Matches:
  54  * xxx.xxx.xxx.xxx        (exact)
  55  * xxx.xxx.xxx.[yyy-zzz]  (range)
  56  * xxx.xxx.xxx.xxx/nn     (CIDR)
  57  *
  58  * Does not match:
  59  * xxx.xxx.xxx.xx[yyy-zzz]  (range, partial octets not supported)
  60  *
  61  * @param string   string of IP range to match
  62  * @param string   string of IP to test against range
  63  *
  64  * @return  boolean    always true
  65  *
  66  * @access  public
  67  */
  68 function PMA_ipMaskTest($testRange, $ipToTest)
  69 {
  70    $result = true;
  71
  72    if (preg_match('|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|', $testRange, $regs)) {
  73        // performs a mask match
  74        $ipl    = ip2long($ipToTest);
  75        $rangel = ip2long($regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]);
  76
  77        $maskl  = 0;
  78
  79        for ($i = 0; $i < 31; $i++) {
  80            if ($i < $regs[5] - 1) {
  81                $maskl = $maskl + PMA_pow(2, (30 - $i));
  82            } // end if
  83        } // end for
  84
  85        if (($maskl & $rangel) == ($maskl & $ipl)) {
  86            return true;
  87        } else {
  88            return false;
  89        }
  90    } else {
  91        // range based
  92        $maskocts = explode('.', $testRange);
  93        $ipocts   = explode('.', $ipToTest);
  94
  95        // perform a range match
  96        for ($i = 0; $i < 4; $i++) {
  97             if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
  98                 if (($ipocts[$i] > $regs[2])
  99                     || ($ipocts[$i] < $regs[1])) {
 100                     $result = false;
 101                 } // end if
 102             } else {
 103                 if ($maskocts[$i] <> $ipocts[$i]) {
 104                     $result = false;
 105                 } // end if
 106             } // end if/else
 107        } //end for
 108    } //end if/else
 109
 110    return $result;
 111 } // end of the "PMA_IPMaskTest()" function
 112
 113
 114 /**
 115  * Runs through IP Allow/Deny rules the use of it below for more information
 116  *
 117  * @param string 'allow' | 'deny' type of rule to match
 118  *
 119  * @return  bool   Matched a rule ?
 120  *
 121  * @access  public
 122  *
 123  * @see     PMA_getIp()
 124  */
 125 function PMA_allowDeny($type)
 126 {
 127     global $cfg;
 128
 129     // Grabs true IP of the user and returns if it can't be found
 130     $remote_ip = PMA_getIp();
 131     if (empty($remote_ip)) {
 132         return false;
 133     }
 134
 135     // copy username
 136     $username  = $cfg['Server']['user'];
 137
 138     // copy rule database
 139     $rules     = $cfg['Server']['AllowDeny']['rules'];
 140
 141     // lookup table for some name shortcuts
 142     $shortcuts = array(
 143         'all'       => '0.0.0.0/0',
 144         'localhost' => '127.0.0.1/8'
 145     );
 146
 147     // Provide some useful shortcuts if server gives us address:
 148     if (PMA_getenv('SERVER_ADDR')) {
 149         $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
 150         $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
 151         $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
 152     }
 153
 154     foreach ($rules as $rule) {
 155         // extract rule data
 156         $rule_data = explode(' ', $rule);
 157
 158         // check for rule type
 159         if ($rule_data[0] != $type) {
 160             continue;
 161         }
 162
 163         // check for username
 164         if (($rule_data[1] != '%') //wildcarded first
 165             && ($rule_data[1] != $username)) {
 166             continue;
 167         }
 168
 169         // check if the config file has the full string with an extra
 170         // 'from' in it and if it does, just discard it
 171         if ($rule_data[2] == 'from') {
 172             $rule_data[2] = $rule_data[3];
 173         }
 174
 175         // Handle shortcuts with above array
 176         if (isset($shortcuts[$rule_data[2]])) {
 177             $rule_data[2] = $shortcuts[$rule_data[2]];
 178         }
 179
 180         // Add code for host lookups here
 181         // Excluded for the moment
 182
 183         // Do the actual matching now
 184         if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
 185             return true;
 186         }
 187     } // end while
 188
 189     return false;
 190 } // end of the "PMA_AllowDeny()" function
 191
 192 ?>