X-Git-Url: https://git.p6c8.net/jirafeau.git/blobdiff_plain/8b600187edd40b6bc402f1807648426c30de367c..d72f71d688234572750d55a90696a904d958ed17:/lib/functions.php diff --git a/lib/functions.php b/lib/functions.php index 2546497..2c799f2 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -98,6 +98,9 @@ function is_ssl() { return true; } elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) { return true; + } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { + if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') + return true; } return false; } @@ -611,7 +614,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) continue; /* Filter. */ - if (!empty ($name) && !preg_match ("/$name/i", $l['file_name'])) + if (!empty ($name) && !preg_match ("/$name/i", htmlspecialchars($l['file_name']))) continue; if (!empty ($file_hash) && $file_hash != $l['md5']) continue; @@ -623,7 +626,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) '<form action = "admin.php" method = "post">' . '<input type = "hidden" name = "action" value = "download"/>' . '<input type = "hidden" name = "link" value = "' . $node . '"/>' . - '<input type = "submit" value = "' . $l['file_name'] . '" />' . + '<input type = "submit" value = "' . htmlspecialchars($l['file_name']) . '" />' . '</form>'; echo '</td>'; echo '<td>' . $l['mime_type'] . '</td>'; @@ -1081,3 +1084,97 @@ function jirafeau_challenge_upload_password ($cfg, $password) return false; } +/** + * Test if visitor's IP is authorized to upload. + * @param $ip IP to be challenged + * @return true if IP is authorized, false otherwise. + */ +function jirafeau_challenge_upload_ip ($cfg, $ip) +{ + if (count ($cfg['upload_ip']) == 0) + return true; + forEach ($cfg['upload_ip'] as $i) + { + if ($i == $ip) + return true; + // CIDR test for IPv4 only. + if (strpos ($i, '/') !== false) + { + list ($subnet, $mask) = explode('/', $i); + if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) + return true; + } + } + return false; +} + +/** Tell if we have some HTTP headers generated by a proxy */ +function has_http_forwarded() +{ + if (!empty ($_SERVER['HTTP_X_FORWARDED_FOR'])) + return true; + if (!empty ($_SERVER['http_X_forwarded_for'])) + return true; + return false; +} + +/** + * Generate IP list from HTTP headers generated by a proxy + * return array of IP strings + */ +function get_ip_list_http_forwarded() +{ + $ip_list = array(); + if (!empty ($_SERVER['HTTP_X_FORWARDED_FOR'])) + { + $l = explode (',', $_SERVER['HTTP_X_FORWARDED_FOR']); + foreach ($l as $ip) + array_push ($ip_list, preg_replace ('/\s+/', '', $ip)); + } + if (!empty ($_SERVER['http_X_forwarded_for'])) + { + $l = explode (',', $_SERVER['http_X_forwarded_for']); + foreach ($l as $ip) + { + // Separate IP from port + $ip = explode (':', $ip)[0]; + array_push ($ip_list, preg_replace ('/\s+/', '', $ip)); + } + } + return $ip_list; +} + +/** + * Get the ip address of the client from REMOTE_ADDR + * or from HTTP_X_FORWARDED_FOR if behind a proxy + * @returns an the client ip address + */ +function get_ip_address($cfg) { + $remote = $_SERVER['REMOTE_ADDR']; + if (count ($cfg['proxy_ip']) == 0 || !has_http_forwarded ()) + return $remote; + + $ip_list = get_ip_list_http_forwarded (); + if (count ($ip_list) == 0) + return $remote; + + foreach ($cfg['proxy_ip'] as $proxy_ip) + { + if ($remote != $proxy_ip) + continue; + // Take the last IP (the one which has been set by the defined proxy). + return end ($ip_list); + } + return $remote; +} + +/** + * Convert hexadecimal string to base64 + */ +function hex_to_base64($hex) +{ + $b = ''; + foreach (str_split ($hex, 2) as $pair) + $b .= chr (hexdec ($pair)); + return base64_encode ($b); +}