libraries/ip_allow_deny.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * This library is used with the server IP allow/deny host authentication
   5  * feature
   6  *
   7  * @package PhpMyAdmin
   8  */
   9
  10 use PhpMyAdmin\Core;
  11 require_once './libraries/hash.lib.php';
  12
  13 /**
  14  * Matches for IPv4 or IPv6 addresses
  15  *
  16  * @param string $testRange string of IP range to match
  17  * @param string $ipToTest  string of IP to test against range
  18  *
  19  * @return boolean    whether the IP mask matches
  20  *
  21  * @access  public
  22  */
  23 function PMA_ipMaskTest($testRange, $ipToTest)
  24 {
  25     if (mb_strpos($testRange, ':') > -1
  26         || mb_strpos($ipToTest, ':') > -1
  27     ) {
  28         // assume IPv6
  29         $result = PMA_ipv6MaskTest($testRange, $ipToTest);
  30     } else {
  31         $result = PMA_ipv4MaskTest($testRange, $ipToTest);
  32     }
  33
  34     return $result;
  35 } // end of the "PMA_ipMaskTest()" function
  36
  37
  38 /**
  39  * Based on IP Pattern Matcher
  40  * Originally by J.Adams <jna@retina.net>
  41  * Found on <https://secure.php.net/manual/en/function.ip2long.php>
  42  * Modified for phpMyAdmin
  43  *
  44  * Matches:
  45  * xxx.xxx.xxx.xxx        (exact)
  46  * xxx.xxx.xxx.[yyy-zzz]  (range)
  47  * xxx.xxx.xxx.xxx/nn     (CIDR)
  48  *
  49  * Does not match:
  50  * xxx.xxx.xxx.xx[yyy-zzz]  (range, partial octets not supported)
  51  *
  52  * @param string $testRange string of IP range to match
  53  * @param string $ipToTest  string of IP to test against range
  54  *
  55  * @return boolean    whether the IP mask matches
  56  *
  57  * @access  public
  58  */
  59 function PMA_ipv4MaskTest($testRange, $ipToTest)
  60 {
  61     $result = true;
  62     $match = preg_match(
  63         '|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|',
  64         $testRange,
  65         $regs
  66     );
  67     if ($match) {
  68         // performs a mask match
  69         $ipl    = ip2long($ipToTest);
  70         $rangel = ip2long(
  71             $regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]
  72         );
  73
  74         $maskl  = 0;
  75
  76         for ($i = 0; $i < 31; $i++) {
  77             if ($i < $regs[5] - 1) {
  78                 $maskl = $maskl + pow(2, (30 - $i));
  79             } // end if
  80         } // end for
  81
  82         if (($maskl & $rangel) == ($maskl & $ipl)) {
  83             return true;
  84         }
  85
  86         return false;
  87     }
  88
  89     // range based
  90     $maskocts = explode('.', $testRange);
  91     $ipocts   = explode('.', $ipToTest);
  92
  93     // perform a range match
  94     for ($i = 0; $i < 4; $i++) {
  95         if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
  96             if (($ipocts[$i] > $regs[2]) || ($ipocts[$i] < $regs[1])) {
  97                 $result = false;
  98             } // end if
  99         } else {
 100             if ($maskocts[$i] <> $ipocts[$i]) {
 101                 $result = false;
 102             } // end if
 103         } // end if/else
 104     } //end for
 105
 106     return $result;
 107 } // end of the "PMA_ipv4MaskTest()" function
 108
 109
 110 /**
 111  * IPv6 matcher
 112  * CIDR section taken from https://stackoverflow.com/a/10086404
 113  * Modified for phpMyAdmin
 114  *
 115  * Matches:
 116  * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
 117  * (exact)
 118  * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:[yyyy-zzzz]
 119  * (range, only at end of IP - no subnets)
 120  * xxxx:xxxx:xxxx:xxxx/nn
 121  * (CIDR)
 122  *
 123  * Does not match:
 124  * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx[yyy-zzz]
 125  * (range, partial octets not supported)
 126  *
 127  * @param string $test_range string of IP range to match
 128  * @param string $ip_to_test string of IP to test against range
 129  *
 130  * @return boolean    whether the IP mask matches
 131  *
 132  * @access  public
 133  */
 134 function PMA_ipv6MaskTest($test_range, $ip_to_test)
 135 {
 136     $result = true;
 137
 138     // convert to lowercase for easier comparison
 139     $test_range = mb_strtolower($test_range);
 140     $ip_to_test = mb_strtolower($ip_to_test);
 141
 142     $is_cidr = mb_strpos($test_range, '/') > -1;
 143     $is_range = mb_strpos($test_range, '[') > -1;
 144     $is_single = ! $is_cidr && ! $is_range;
 145
 146     $ip_hex = bin2hex(inet_pton($ip_to_test));
 147
 148     if ($is_single) {
 149         $range_hex = bin2hex(inet_pton($test_range));
 150         $result = hash_equals($ip_hex, $range_hex);
 151         return $result;
 152     }
 153
 154     if ($is_range) {
 155         // what range do we operate on?
 156         $range_match = array();
 157         $match = preg_match(
 158             '/\[([0-9a-f]+)\-([0-9a-f]+)\]/', $test_range, $range_match
 159         );
 160         if ($match) {
 161             $range_start = $range_match[1];
 162             $range_end   = $range_match[2];
 163
 164             // get the first and last allowed IPs
 165             $first_ip  = str_replace($range_match[0], $range_start, $test_range);
 166             $first_hex = bin2hex(inet_pton($first_ip));
 167             $last_ip   = str_replace($range_match[0], $range_end, $test_range);
 168             $last_hex  = bin2hex(inet_pton($last_ip));
 169
 170             // check if the IP to test is within the range
 171             $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);
 172         }
 173         return $result;
 174     }
 175
 176     if ($is_cidr) {
 177         // Split in address and prefix length
 178         list($first_ip, $subnet) = explode('/', $test_range);
 179
 180         // Parse the address into a binary string
 181         $first_bin = inet_pton($first_ip);
 182         $first_hex = bin2hex($first_bin);
 183
 184         $flexbits = 128 - $subnet;
 185
 186         // Build the hexadecimal string of the last address
 187         $last_hex = $first_hex;
 188
 189         $pos = 31;
 190         while ($flexbits > 0) {
 191             // Get the character at this position
 192             $orig = mb_substr($last_hex, $pos, 1);
 193
 194             // Convert it to an integer
 195             $origval = hexdec($orig);
 196
 197             // OR it with (2^flexbits)-1, with flexbits limited to 4 at a time
 198             $newval = $origval | (pow(2, min(4, $flexbits)) - 1);
 199
 200             // Convert it back to a hexadecimal character
 201             $new = dechex($newval);
 202
 203             // And put that character back in the string
 204             $last_hex = substr_replace($last_hex, $new, $pos, 1);
 205
 206             // We processed one nibble, move to previous position
 207             $flexbits -= 4;
 208             --$pos;
 209         }
 210
 211         // check if the IP to test is within the range
 212         $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);
 213     }
 214
 215     return $result;
 216 } // end of the "PMA_ipv6MaskTest()" function
 217
 218
 219 /**
 220  * Runs through IP Allow/Deny rules the use of it below for more information
 221  *
 222  * @param string $type 'allow' | 'deny' type of rule to match
 223  *
 224  * @return bool   Whether rule has matched
 225  *
 226  * @access  public
 227  *
 228  * @see     Core::getIp()
 229  */
 230 function PMA_allowDeny($type)
 231 {
 232     global $cfg;
 233
 234     // Grabs true IP of the user and returns if it can't be found
 235     $remote_ip = Core::getIp();
 236     if (empty($remote_ip)) {
 237         return false;
 238     }
 239
 240     // copy username
 241     $username  = $cfg['Server']['user'];
 242
 243     // copy rule database
 244     if (isset($cfg['Server']['AllowDeny']['rules'])) {
 245         $rules     = $cfg['Server']['AllowDeny']['rules'];
 246         if (! is_array($rules)) {
 247             $rules = array();
 248         }
 249     } else {
 250         $rules = array();
 251     }
 252
 253     // lookup table for some name shortcuts
 254     $shortcuts = array(
 255         'all'       => '0.0.0.0/0',
 256         'localhost' => '127.0.0.1/8'
 257     );
 258
 259     // Provide some useful shortcuts if server gives us address:
 260     if (Core::getenv('SERVER_ADDR')) {
 261         $shortcuts['localnetA'] = Core::getenv('SERVER_ADDR') . '/8';
 262         $shortcuts['localnetB'] = Core::getenv('SERVER_ADDR') . '/16';
 263         $shortcuts['localnetC'] = Core::getenv('SERVER_ADDR') . '/24';
 264     }
 265
 266     foreach ($rules as $rule) {
 267         // extract rule data
 268         $rule_data = explode(' ', $rule);
 269
 270         // check for rule type
 271         if ($rule_data[0] != $type) {
 272             continue;
 273         }
 274
 275         // check for username
 276         if (($rule_data[1] != '%') //wildcarded first
 277             && (! hash_equals($rule_data[1], $username))
 278         ) {
 279             continue;
 280         }
 281
 282         // check if the config file has the full string with an extra
 283         // 'from' in it and if it does, just discard it
 284         if ($rule_data[2] == 'from') {
 285             $rule_data[2] = $rule_data[3];
 286         }
 287
 288         // Handle shortcuts with above array
 289         if (isset($shortcuts[$rule_data[2]])) {
 290             $rule_data[2] = $shortcuts[$rule_data[2]];
 291         }
 292
 293         // Add code for host lookups here
 294         // Excluded for the moment
 295
 296         // Do the actual matching now
 297         if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
 298             return true;
 299         }
 300     } // end while
 301
 302     return false;
 303 } // end of the "PMA_AllowDeny()" function