phpmyadmin/libraries/ip_allow_deny.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This library is used with the server IP allow/deny host authentication
   5  * feature
   6  *
   7  * @version $Id$
   8  */
   9
  10
  11 /**
  12  * Gets the "true" IP address of the current user
  13  *
  14  * @return  string   the ip of the user
  15  *
  16  * @access  private
  17  */
  18 function PMA_getIp()
  19 {
  20     /* Get the address of user */
  21     if (!empty($_SERVER['REMOTE_ADDR'])) {
  22         $direct_ip = $_SERVER['REMOTE_ADDR'];
  23     } else {
  24         /* We do not know remote IP */
  25         return false;
  26     }
  27
  28     /* Do we trust this IP as a proxy? If yes we will use it's header. */
  29     if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
  30         $proxy_ip = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
  31         // the $ checks that the header contains only one IP address
  32         $is_ip = preg_match('|^([0-9]{1,3}\.){3,3}[0-9]{1,3}$|', $proxy_ip, $regs);
  33         if ($is_ip && (count($regs) > 0)) {
  34             // True IP behind a proxy
  35             return $regs[0];
  36         }
  37     }
  38
  39     /* Return true IP */
  40     return $direct_ip;
  41 } // end of the 'PMA_getIp()' function
  42
  43
  44 /**
  45  * Based on IP Pattern Matcher
  46  * Originally by J.Adams <jna@retina.net>
  47  * Found on <http://www.php.net/manual/en/function.ip2long.php>
  48  * Modified by Robbat2 <robbat2@users.sourceforge.net>
  49  *
  50  * Matches:
  51  * xxx.xxx.xxx.xxx        (exact)
  52  * xxx.xxx.xxx.[yyy-zzz]  (range)
  53  * xxx.xxx.xxx.xxx/nn     (CIDR)
  54  *
  55  * Does not match:
  56  * xxx.xxx.xxx.xx[yyy-zzz]  (range, partial octets not supported)
  57  *
  58  * @param   string   string of IP range to match
  59  * @param   string   string of IP to test against range
  60  *
  61  * @return  boolean    always true
  62  *
  63  * @access  public
  64  */
  65 function PMA_ipMaskTest($testRange, $ipToTest)
  66 {
  67    $result = true;
  68
  69    if (preg_match('|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|', $testRange, $regs)) {
  70        // performs a mask match
  71        $ipl    = ip2long($ipToTest);
  72        $rangel = ip2long($regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]);
  73
  74        $maskl  = 0;
  75
  76        for ($i = 0; $i < 31; $i++) {
  77            if ($i < $regs[5] - 1) {
  78                $maskl = $maskl + PMA_pow(2, (30 - $i));
  79            } // end if
  80        } // end for
  81
  82        if (($maskl & $rangel) == ($maskl & $ipl)) {
  83            return true;
  84        } else {
  85            return false;
  86        }
  87    } else {
  88        // range based
  89        $maskocts = explode('.', $testRange);
  90        $ipocts   = explode('.', $ipToTest);
  91
  92        // perform a range match
  93        for ($i = 0; $i < 4; $i++) {
  94             if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
  95                 if (($ipocts[$i] > $regs[2])
  96                     || ($ipocts[$i] < $regs[1])) {
  97                     $result = false;
  98                 } // end if
  99             } else {
 100                 if ($maskocts[$i] <> $ipocts[$i]) {
 101                     $result = false;
 102                 } // end if
 103             } // end if/else
 104        } //end for
 105    } //end if/else
 106
 107    return $result;
 108 } // end of the "PMA_IPMaskTest()" function
 109
 110
 111 /**
 112  * Runs through IP Allow/Deny rules the use of it below for more information
 113  *
 114  * @param   string 'allow' | 'deny' type of rule to match
 115  *
 116  * @return  bool   Matched a rule ?
 117  *
 118  * @access  public
 119  *
 120  * @see     PMA_getIp()
 121  */
 122 function PMA_allowDeny($type)
 123 {
 124     global $cfg;
 125
 126     // Grabs true IP of the user and returns if it can't be found
 127     $remote_ip = PMA_getIp();
 128     if (empty($remote_ip)) {
 129         return false;
 130     }
 131
 132     // copy username
 133     $username  = $cfg['Server']['user'];
 134
 135     // copy rule database
 136     $rules     = $cfg['Server']['AllowDeny']['rules'];
 137
 138     // lookup table for some name shortcuts
 139     $shortcuts = array(
 140         'all'       => '0.0.0.0/0',
 141         'localhost' => '127.0.0.1/8'
 142     );
 143
 144     // Provide some useful shortcuts if server gives us address:
 145     if (PMA_getenv('SERVER_ADDR')) {
 146         $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
 147         $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
 148         $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
 149     }
 150
 151     foreach ($rules as $rule) {
 152         // extract rule data
 153         $rule_data = explode(' ', $rule);
 154
 155         // check for rule type
 156         if ($rule_data[0] != $type) {
 157             continue;
 158         }
 159
 160         // check for username
 161         if (($rule_data[1] != '%') //wildcarded first
 162             && ($rule_data[1] != $username)) {
 163             continue;
 164         }
 165
 166         // check if the config file has the full string with an extra
 167         // 'from' in it and if it does, just discard it
 168         if ($rule_data[2] == 'from') {
 169             $rule_data[2] = $rule_data[3];
 170         }
 171
 172         // Handle shortcuts with above array
 173         // DON'T use "array_key_exists" as it's only PHP 4.1 and newer.
 174         if (isset($shortcuts[$rule_data[2]])) {
 175             $rule_data[2] = $shortcuts[$rule_data[2]];
 176         }
 177
 178         // Add code for host lookups here
 179         // Excluded for the moment
 180
 181         // Do the actual matching now
 182         if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
 183             return true;
 184         }
 185     } // end while
 186
 187     return false;
 188 } // end of the "PMA_AllowDeny()" function
 189
 190 ?>