[Sommaire] [Imprimer]

   1  <?php
   2  /* $Id: ip_allow_deny.lib.php 10089 2007-03-14 12:47:37Z cybot_tm $ */
   3  // vim: expandtab sw=4 ts=4 sts=4:
   4  
   5  /**
   6   * This library is used with the server IP allow/deny host authentication
   7   * feature
   8   */
   9  
  10  
  11  /**
  12   * Gets the "true" IP address of the current user
  13   *
  14   * @return  string   the ip of the user
  15   *
  16   * @access  private
  17   */
  18  function PMA_getIp()
  19  {
  20      /* Get the address of user */
  21      if (!empty($_SERVER['REMOTE_ADDR'])) {
  22          $direct_ip = $_SERVER['REMOTE_ADDR'];
  23      } else {
  24          /* We do not know remote IP */
  25          return false;
  26      }
  27  
  28      /* Do we trust this IP as a proxy? If yes we will use it's header. */
  29      if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
  30          $proxy_ip = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
  31          // the $ checks that the header contains only one IP address
  32          $is_ip = preg_match('|^([0-9]{1,3}\.){3,3}[0-9]{1,3}$|', $proxy_ip, $regs);
  33          if ($is_ip && (count($regs) > 0)) {
  34              // True IP behind a proxy
  35              return $regs[0];
  36          }
  37      }
  38  
  39      /* Return true IP */
  40      return $direct_ip;
  41  } // end of the 'PMA_getIp()' function
  42  
  43  
  44  /**
  45   * Based on IP Pattern Matcher
  46   * Originally by J.Adams <jna@retina.net>
  47   * Found on <http://www.php.net/manual/en/function.ip2long.php>
  48   * Modified by Robbat2 <robbat2@users.sourceforge.net>
  49   *
  50   * Matches:
  51   * xxx.xxx.xxx.xxx        (exact)
  52   * xxx.xxx.xxx.[yyy-zzz]  (range)
  53   * xxx.xxx.xxx.xxx/nn     (CIDR)
  54   *
  55   * Does not match:
  56   * xxx.xxx.xxx.xx[yyy-zzz]  (range, partial octets not supported)
  57   *
  58   * @param   string   string of IP range to match
  59   * @param   string   string of IP to test against range
  60   *
  61   * @return  boolean    always true
  62   *
  63   * @access  public
  64   */
  65  function PMA_ipMaskTest($testRange, $ipToTest)
  66  {
  67     $result = true;
  68  
  69     if (preg_match('|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|', $testRange, $regs)) {
  70         // performs a mask match
  71         $ipl    = ip2long($ipToTest);
  72         $rangel = ip2long($regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]);
  73  
  74         $maskl  = 0;
  75  
  76         for ($i = 0; $i < 31; $i++) {
  77             if ($i < $regs[5] - 1) {
  78                 $maskl = $maskl + PMA_pow(2, (30 - $i));
  79             } // end if
  80         } // end for
  81  
  82         if (($maskl & $rangel) == ($maskl & $ipl)) {
  83             return true;
  84         } else {
  85             return false;
  86         }
  87     } else {
  88         // range based
  89         $maskocts = explode('.', $testRange);
  90         $ipocts   = explode('.', $ipToTest);
  91  
  92         // perform a range match
  93         for ($i = 0; $i < 4; $i++) {
  94              if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
  95                  if (($ipocts[$i] > $regs[2])
  96                      || ($ipocts[$i] < $regs[1])) {
  97                      $result = false;
  98                  } // end if
  99              } else {
 100                  if ($maskocts[$i] <> $ipocts[$i]) {
 101                      $result = false;
 102                  } // end if
 103              } // end if/else
 104         } //end for
 105     } //end if/else
 106  
 107     return $result;
 108  } // end of the "PMA_IPMaskTest()" function
 109  
 110  
 111  /**
 112   * Runs through IP Allow/Deny rules the use of it below for more information
 113   *
 114   * @param   string 'allow' | 'deny' type of rule to match
 115   *
 116   * @return  bool   Matched a rule ?
 117   *
 118   * @access  public
 119   *
 120   * @see     PMA_getIp()
 121   */
 122  function PMA_allowDeny($type)
 123  {
 124      global $cfg;
 125  
 126      // Grabs true IP of the user and returns if it can't be found
 127      $remote_ip = PMA_getIp();
 128      if (empty($remote_ip)) {
 129          return false;
 130      }
 131  
 132      // copy username
 133      $username  = $cfg['Server']['user'];
 134  
 135      // copy rule database
 136      $rules     = $cfg['Server']['AllowDeny']['rules'];
 137  
 138      // lookup table for some name shortcuts
 139      $shortcuts = array(
 140          'all'       => '0.0.0.0/0',
 141          'localhost' => '127.0.0.1/8'
 142      );
 143  
 144      // Provide some useful shortcuts if server gives us address:
 145      if (PMA_getenv('SERVER_ADDR')) {
 146          $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
 147          $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
 148          $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
 149      }
 150  
 151      foreach ($rules as $rule) {
 152          // extract rule data
 153          $rule_data = explode(' ', $rule);
 154  
 155          // check for rule type
 156          if ($rule_data[0] != $type) {
 157              continue;
 158          }
 159  
 160          // check for username
 161          if (($rule_data[1] != '%') //wildcarded first
 162              && ($rule_data[1] != $username)) {
 163              continue;
 164          }
 165  
 166          // check if the config file has the full string with an extra
 167          // 'from' in it and if it does, just discard it
 168          if ($rule_data[2] == 'from') {
 169              $rule_data[2] = $rule_data[3];
 170          }
 171  
 172          // Handle shortcuts with above array
 173          // DON'T use "array_key_exists" as it's only PHP 4.1 and newer.
 174          if (isset($shortcuts[$rule_data[2]])) {
 175              $rule_data[2] = $shortcuts[$rule_data[2]];
 176          }
 177  
 178          // Add code for host lookups here
 179          // Excluded for the moment
 180  
 181          // Do the actual matching now
 182          if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
 183              return true;
 184          }
 185      } // end while
 186  
 187      return false;
 188  } // end of the "PMA_AllowDeny()" function
 189  
 190  ?>