Translation update done using Pootle.
[phpmyadmin.git] / libraries / ip_allow_deny.lib.php
blobfd0bc025bc88dffd19de2feb4924ecfabec9a761
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * This library is used with the server IP allow/deny host authentication
5 * feature
7 * @todo Broken for IPv6
9 * @package PhpMyAdmin
13 /**
14 * Gets the "true" IP address of the current user
16 * @return string the ip of the user
18 * @access private
20 function PMA_getIp()
22 /* Get the address of user */
23 if (!empty($_SERVER['REMOTE_ADDR'])) {
24 $direct_ip = $_SERVER['REMOTE_ADDR'];
25 } else {
26 /* We do not know remote IP */
27 return false;
30 /* Do we trust this IP as a proxy? If yes we will use it's header. */
31 if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
32 $trusted_header_value = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
33 $matches = array();
34 // the $ checks that the header contains only one IP address, ?: makes sure the () don't capture
35 $is_ip = preg_match('|^(?:[0-9]{1,3}\.){3,3}[0-9]{1,3}$|', $trusted_header_value, $matches);
36 if ($is_ip && (count($matches) == 1)) {
37 // True IP behind a proxy
38 return $matches[0];
42 /* Return true IP */
43 return $direct_ip;
44 } // end of the 'PMA_getIp()' function
47 /**
48 * Based on IP Pattern Matcher
49 * Originally by J.Adams <jna@retina.net>
50 * Found on <http://www.php.net/manual/en/function.ip2long.php>
51 * Modified for phpMyAdmin
53 * Matches:
54 * xxx.xxx.xxx.xxx (exact)
55 * xxx.xxx.xxx.[yyy-zzz] (range)
56 * xxx.xxx.xxx.xxx/nn (CIDR)
58 * Does not match:
59 * xxx.xxx.xxx.xx[yyy-zzz] (range, partial octets not supported)
61 * @param string string of IP range to match
62 * @param string string of IP to test against range
64 * @return boolean always true
66 * @access public
68 function PMA_ipMaskTest($testRange, $ipToTest)
70 $result = true;
72 if (preg_match('|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|', $testRange, $regs)) {
73 // performs a mask match
74 $ipl = ip2long($ipToTest);
75 $rangel = ip2long($regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]);
77 $maskl = 0;
79 for ($i = 0; $i < 31; $i++) {
80 if ($i < $regs[5] - 1) {
81 $maskl = $maskl + PMA_pow(2, (30 - $i));
82 } // end if
83 } // end for
85 if (($maskl & $rangel) == ($maskl & $ipl)) {
86 return true;
87 } else {
88 return false;
90 } else {
91 // range based
92 $maskocts = explode('.', $testRange);
93 $ipocts = explode('.', $ipToTest);
95 // perform a range match
96 for ($i = 0; $i < 4; $i++) {
97 if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
98 if (($ipocts[$i] > $regs[2])
99 || ($ipocts[$i] < $regs[1])) {
100 $result = false;
101 } // end if
102 } else {
103 if ($maskocts[$i] <> $ipocts[$i]) {
104 $result = false;
105 } // end if
106 } // end if/else
107 } //end for
108 } //end if/else
110 return $result;
111 } // end of the "PMA_IPMaskTest()" function
115 * Runs through IP Allow/Deny rules the use of it below for more information
117 * @param string 'allow' | 'deny' type of rule to match
119 * @return bool Matched a rule ?
121 * @access public
123 * @see PMA_getIp()
125 function PMA_allowDeny($type)
127 global $cfg;
129 // Grabs true IP of the user and returns if it can't be found
130 $remote_ip = PMA_getIp();
131 if (empty($remote_ip)) {
132 return false;
135 // copy username
136 $username = $cfg['Server']['user'];
138 // copy rule database
139 $rules = $cfg['Server']['AllowDeny']['rules'];
141 // lookup table for some name shortcuts
142 $shortcuts = array(
143 'all' => '0.0.0.0/0',
144 'localhost' => '127.0.0.1/8'
147 // Provide some useful shortcuts if server gives us address:
148 if (PMA_getenv('SERVER_ADDR')) {
149 $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
150 $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
151 $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
154 foreach ($rules as $rule) {
155 // extract rule data
156 $rule_data = explode(' ', $rule);
158 // check for rule type
159 if ($rule_data[0] != $type) {
160 continue;
163 // check for username
164 if (($rule_data[1] != '%') //wildcarded first
165 && ($rule_data[1] != $username)) {
166 continue;
169 // check if the config file has the full string with an extra
170 // 'from' in it and if it does, just discard it
171 if ($rule_data[2] == 'from') {
172 $rule_data[2] = $rule_data[3];
175 // Handle shortcuts with above array
176 if (isset($shortcuts[$rule_data[2]])) {
177 $rule_data[2] = $shortcuts[$rule_data[2]];
180 // Add code for host lookups here
181 // Excluded for the moment
183 // Do the actual matching now
184 if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
185 return true;
187 } // end while
189 return false;
190 } // end of the "PMA_AllowDeny()" function