search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upgraded phpmyadmin to 4.0.4 (All Languages) - No modifications yet
[openemr.git] / phpmyadmin / libraries / ip_allow_deny.lib.php
blobf253e37c151efe498ccbdd07f40cc208b55f311c
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * This library is used with the server IP allow/deny host authentication
5 * feature
6 *
7 * @package PhpMyAdmin
8 */
9 if (! defined('PHPMYADMIN')) {
10 exit;
11 }
12
13 /**
14 * Gets the "true" IP address of the current user
15 *
16 * @return string the ip of the user
17 *
18 * @access private
19 */
20 function PMA_getIp()
21 {
22 /* Get the address of user */
23 if (!empty($_SERVER['REMOTE_ADDR'])) {
24 $direct_ip = $_SERVER['REMOTE_ADDR'];
25 } else {
26 /* We do not know remote IP */
27 return false;
28 }
29
30 /* Do we trust this IP as a proxy? If yes we will use it's header. */
31 if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
32 $trusted_header_value
33 = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
34 $matches = array();
35 // the $ checks that the header contains only one IP address,
36 // ?: makes sure the () don't capture
37 $is_ip = preg_match(
38 '|^(?:[0-9]{1,3}\.){3,3}[0-9]{1,3}$|',
39 $trusted_header_value, $matches
40 );
41 if ($is_ip && (count($matches) == 1)) {
42 // True IP behind a proxy
43 return $matches[0];
44 }
45 }
46
47 /* Return true IP */
48 return $direct_ip;
49 } // end of the 'PMA_getIp()' function
50
51
52 /**
53 * Matches for IPv4 or IPv6 addresses
54 *
55 * @param string $testRange string of IP range to match
56 * @param string $ipToTest string of IP to test against range
57 *
58 * @return boolean whether the IP mask matches
59 *
60 * @access public
61 */
62 function PMA_ipMaskTest($testRange, $ipToTest)
63 {
64 $result = true;
65
66 if (strpos($testRange, ':') > -1 || strpos($ipToTest, ':') > -1) {
67 // assume IPv6
68 $result = PMA_ipv6MaskTest($testRange, $ipToTest);
69 } else {
70 $result = PMA_ipv4MaskTest($testRange, $ipToTest);
71 }
72
73 return $result;
74 } // end of the "PMA_ipMaskTest()" function
75
76
77 /**
78 * Based on IP Pattern Matcher
79 * Originally by J.Adams <jna@retina.net>
80 * Found on <http://www.php.net/manual/en/function.ip2long.php>
81 * Modified for phpMyAdmin
82 *
83 * Matches:
84 * xxx.xxx.xxx.xxx (exact)
85 * xxx.xxx.xxx.[yyy-zzz] (range)
86 * xxx.xxx.xxx.xxx/nn (CIDR)
87 *
88 * Does not match:
89 * xxx.xxx.xxx.xx[yyy-zzz] (range, partial octets not supported)
90 *
91 * @param string $testRange string of IP range to match
92 * @param string $ipToTest string of IP to test against range
93 *
94 * @return boolean whether the IP mask matches
95 *
96 * @access public
97 */
98 function PMA_ipv4MaskTest($testRange, $ipToTest)
99 {
100 $result = true;
101 $match = preg_match(
102 '|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|',
103 $testRange,
104 $regs
105 );
106 if ($match) {
107 // performs a mask match
108 $ipl = ip2long($ipToTest);
109 $rangel = ip2long(
110 $regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]
111 );
112
113 $maskl = 0;
114
115 for ($i = 0; $i < 31; $i++) {
116 if ($i < $regs[5] - 1) {
117 $maskl = $maskl + PMA_Util::pow(2, (30 - $i));
118 } // end if
119 } // end for
120
121 if (($maskl & $rangel) == ($maskl & $ipl)) {
122 return true;
123 } else {
124 return false;
125 }
126 } else {
127 // range based
128 $maskocts = explode('.', $testRange);
129 $ipocts = explode('.', $ipToTest);
130
131 // perform a range match
132 for ($i = 0; $i < 4; $i++) {
133 if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
134 if (($ipocts[$i] > $regs[2]) || ($ipocts[$i] < $regs[1])) {
135 $result = false;
136 } // end if
137 } else {
138 if ($maskocts[$i] <> $ipocts[$i]) {
139 $result = false;
140 } // end if
141 } // end if/else
142 } //end for
143 } //end if/else
144
145 return $result;
146 } // end of the "PMA_ipv4MaskTest()" function
147
148
149 /**
150 * IPv6 matcher
151 * CIDR section taken from http://stackoverflow.com/a/10086404
152 * Modified for phpMyAdmin
153 *
154 * Matches:
155 * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (exact)
156 * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:[yyyy-zzzz] (range, only at end of IP - no subnets)
157 * xxxx:xxxx:xxxx:xxxx/nn (CIDR)
158 *
159 * Does not match:
160 * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx[yyy-zzz] (range, partial octets not supported)
161 *
162 * @param string $test_range string of IP range to match
163 * @param string $ip_to_test string of IP to test against range
164 *
165 * @return boolean whether the IP mask matches
166 *
167 * @access public
168 */
169 function PMA_ipv6MaskTest($test_range, $ip_to_test)
170 {
171 $result = true;
172
173 // convert to lowercase for easier comparison
174 $test_range = strtolower($test_range);
175 $ip_to_test = strtolower($ip_to_test);
176
177 $is_cidr = strpos($test_range, '/') > -1;
178 $is_range = strpos($test_range, '[') > -1;
179 $is_single = ! $is_cidr && ! $is_range;
180
181 $ip_hex = bin2hex(inet_pton($ip_to_test));
182
183 if ($is_single) {
184 $range_hex = bin2hex(inet_pton($test_range));
185 $result = $ip_hex === $range_hex;
186 } elseif ($is_range) {
187 // what range do we operate on?
188 $range_match = array();
189 if (preg_match('/\[([0-9a-f]+)\-([0-9a-f]+)\]/', $test_range, $range_match)) {
190 $range_start = $range_match[1];
191 $range_end = $range_match[2];
192
193 // get the first and last allowed IPs
194 $first_ip = str_replace($range_match[0], $range_start, $test_range);
195 $first_hex = bin2hex(inet_pton($first_ip));
196 $last_ip = str_replace($range_match[0], $range_end, $test_range);
197 $last_hex = bin2hex(inet_pton($last_ip));
198
199 // check if the IP to test is within the range
200 $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);
201 }
202 } elseif ($is_cidr) {
203 // Split in address and prefix length
204 list($first_ip, $subnet) = explode('/', $test_range);
205
206 // Parse the address into a binary string
207 $first_bin = inet_pton($first_ip);
208 $first_hex = bin2hex($first_bin);
209
210 // Overwriting first address string to make sure notation is optimal
211 $first_ip = inet_ntop($first_bin);
212
213 $flexbits = 128 - $subnet;
214
215 // Build the hexadecimal string of the last address
216 $last_hex = $first_hex;
217
218 $pos = 31;
219 while ($flexbits > 0) {
220 // Get the character at this position
221 $orig = substr($last_hex, $pos, 1);
222
223 // Convert it to an integer
224 $origval = hexdec($orig);
225
226 // OR it with (2^flexbits)-1, with flexbits limited to 4 at a time
227 $newval = $origval | (pow(2, min(4, $flexbits)) - 1);
228
229 // Convert it back to a hexadecimal character
230 $new = dechex($newval);
231
232 // And put that character back in the string
233 $last_hex = substr_replace($last_hex, $new, $pos, 1);
234
235 // We processed one nibble, move to previous position
236 $flexbits -= 4;
237 $pos -= 1;
238 }
239
240 // check if the IP to test is within the range
241 $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);
242 }
243
244 return $result;
245 } // end of the "PMA_ipv6MaskTest()" function
246
247
248 /**
249 * Runs through IP Allow/Deny rules the use of it below for more information
250 *
251 * @param string $type 'allow' | 'deny' type of rule to match
252 *
253 * @return bool Matched a rule ?
254 *
255 * @access public
256 *
257 * @see PMA_getIp()
258 */
259 function PMA_allowDeny($type)
260 {
261 global $cfg;
262
263 // Grabs true IP of the user and returns if it can't be found
264 $remote_ip = PMA_getIp();
265 if (empty($remote_ip)) {
266 return false;
267 }
268
269 // copy username
270 $username = $cfg['Server']['user'];
271
272 // copy rule database
273 $rules = $cfg['Server']['AllowDeny']['rules'];
274
275 // lookup table for some name shortcuts
276 $shortcuts = array(
277 'all' => '0.0.0.0/0',
278 'localhost' => '127.0.0.1/8'
279 );
280
281 // Provide some useful shortcuts if server gives us address:
282 if (PMA_getenv('SERVER_ADDR')) {
283 $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
284 $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
285 $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
286 }
287
288 foreach ($rules as $rule) {
289 // extract rule data
290 $rule_data = explode(' ', $rule);
291
292 // check for rule type
293 if ($rule_data[0] != $type) {
294 continue;
295 }
296
297 // check for username
298 if (($rule_data[1] != '%') //wildcarded first
299 && ($rule_data[1] != $username)
300 ) {
301 continue;
302 }
303
304 // check if the config file has the full string with an extra
305 // 'from' in it and if it does, just discard it
306 if ($rule_data[2] == 'from') {
307 $rule_data[2] = $rule_data[3];
308 }
309
310 // Handle shortcuts with above array
311 if (isset($shortcuts[$rule_data[2]])) {
312 $rule_data[2] = $shortcuts[$rule_data[2]];
313 }
314
315 // Add code for host lookups here
316 // Excluded for the moment
317
318 // Do the actual matching now
319 if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
320 return true;
321 }
322 } // end while
323
324 return false;
325 } // end of the "PMA_AllowDeny()" function
326
327 ?>
Mirror of official OpenEMR Sourceforge repository