/* Check if user is allowed to upload. */
if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
- echo '<div class="error"><p>' . t('Access denied') . '</p></div>';
- require(JIRAFEAU_ROOT.'lib/template/footer.php');
- exit;
-}
-/* Ask password if upload password is set. */
-if (jirafeau_has_upload_password($cfg)) {
- session_start();
+ /* Ask password if upload password is set. */
+ if (jirafeau_has_upload_password($cfg)) {
+ session_start();
- /* Unlog if asked. */
- if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
- session_unset();
- }
+ /* Unlog if asked. */
+ if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
+ session_unset();
+ }
- /* Auth. */
- if (isset($_POST['upload_password'])) {
- if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) {
- $_SESSION['upload_auth'] = true;
- $_SESSION['user_upload_password'] = $_POST['upload_password'];
- } else {
- $_SESSION['admin_auth'] = false;
- echo '<div class="error"><p>' . t('Wrong password.') . '</p></div>';
+ /* Auth. */
+ if (isset($_POST['upload_password'])) {
+ if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) {
+ $_SESSION['upload_auth'] = true;
+ $_SESSION['user_upload_password'] = $_POST['upload_password'];
+ } else {
+ $_SESSION['admin_auth'] = false;
+ echo '<div class="error"><p>' . t('Wrong password.') . '</p></div>';
+ require(JIRAFEAU_ROOT.'lib/template/footer.php');
+ exit;
+ }
+ }
+
+ /* Show auth page. */
+ if (!isset($_SESSION['upload_auth']) || $_SESSION['upload_auth'] != true) {
+ ?>
+ <form action = "<?php echo basename(__FILE__); ?>" method = "post">
+ <fieldset>
+ <table>
+ <tr>
+ <td class = "label"><label for = "enter_password">
+ <?php echo t('Upload password') . ':'; ?></label>
+ </td>
+ <td class = "field"><input type = "password"
+ name = "upload_password" id = "upload_password"
+ size = "40" />
+ </td>
+ </tr>
+ <tr class = "nav">
+ <td></td>
+ <td class = "nav next">
+ <input type = "submit" name = "key" value =
+ "<?php echo t('Login'); ?>" />
+ </td>
+ </tr>
+ </table>
+ </fieldset>
+ </form>
+ <?php
require(JIRAFEAU_ROOT.'lib/template/footer.php');
exit;
}
}
-
- /* Show auth page. */
- if (!isset($_SESSION['upload_auth']) || $_SESSION['upload_auth'] != true) {
- ?>
- <form action = "<?php echo basename(__FILE__); ?>" method = "post">
- <fieldset>
- <table>
- <tr>
- <td class = "label"><label for = "enter_password">
- <?php echo t('Upload password') . ':'; ?></label>
- </td>
- <td class = "field"><input type = "password"
- name = "upload_password" id = "upload_password"
- size = "40" />
- </td>
- </tr>
- <tr class = "nav">
- <td></td>
- <td class = "nav next">
- <input type = "submit" name = "key" value =
- "<?php echo t('Login'); ?>" />
- </td>
- </tr>
- </table>
- </fieldset>
- </form>
- <?php
- require(JIRAFEAU_ROOT.'lib/template/footer.php');
- exit;
- }
}
-
+
?>
<div id="upload_finished">
<p><?php echo t('File uploaded !') ?></p>
return false;
}
+/**
+ * Test if visitor's IP is authorized or password is supplied and authorized
+ * @param $ip IP to be challenged
+ * @param $password password to be challenged
+ * @return true if access is valid, false otherwise.
+ */
+function jirafeau_challenge_upload ($cfg, $ip, $password)
+{
+ // Allow if no ip restrictaion and no password restriction
+ if ((count ($cfg['upload_ip']) == 0) and (count ($cfg['upload_password']) == 0)) {
+ return true;
+ }
+
+ // Allow if ip is in array
+ foreach ($cfg['upload_ip'] as $i) {
+ if ($i == $ip) {
+ return true;
+ }
+ // CIDR test for IPv4 only.
+ if (strpos ($i, '/') !== false)
+ {
+ list ($subnet, $mask) = explode('/', $i);
+ if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) {
+ return true;
+ }
+ }
+ }
+ if (!jirafeau_has_upload_password($cfg)) {
+ return false;
+ }
+
+ foreach ($cfg['upload_password'] as $p) {
+ if ($password == $p) {
+ return true;
+ }
+ }
+ return false;
+}
+
/** Tell if we have some HTTP headers generated by a proxy */
function has_http_forwarded()
{
/* Upload file */
if (isset($_FILES['file']) && is_writable(VAR_FILES)
&& is_writable(VAR_LINKS)) {
- if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
- echo 'Error 2';
- exit;
- }
-
- if (jirafeau_has_upload_password($cfg) &&
- (!isset($_POST['upload_password']) ||
- !jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) {
- echo 'Error 3';
- exit;
+ if (isset ($_POST['upload_password'])) {
+ if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
+ echo 'Error 3: Invalid password';
+ exit;
+ }
+ } else {
+ if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
+ echo 'Error 2: No password nor allowed IP';
+ exit;
+ }
}
-
+
$key = '';
if (isset($_POST['key'])) {
$key = $_POST['key'];
}
/* Create alias. */
elseif (isset($_GET['alias_create'])) {
- $ip = get_ip_address($cfg);
- if (!jirafeau_challenge_upload_ip($cfg, $ip)) {
- echo 'Error 13';
- exit;
- }
-
- if (jirafeau_has_upload_password($cfg) &&
- (!isset($_POST['upload_password']) ||
- !jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) {
- echo 'Error 14';
- exit;
+ if (isset($_POST['upload_password'])){
+ if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
+ echo 'Error 14: Invalid password';
+ exit;
+ }
+ } else {
+ if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
+ echo 'Error 13: No password nor allowed IP';
+ exit;
+ }
}
if (!isset($_POST['alias']) ||
}
/* Initialize an asynchronous upload. */
elseif (isset($_GET['init_async'])) {
- if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
- echo 'Error 19';
- exit;
- }
-
- if (jirafeau_has_upload_password($cfg) &&
- (!isset($_POST['upload_password']) ||
- !jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) {
- echo 'Error 20';
- exit;
+ if (isset($_POST['upload_password'])){
+ if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
+ echo 'Error 20: Invalid password';
+ exit;
+ }
+ } else {
+ if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
+ echo 'Error 19: No password nor allowed IP';
+ exit;
+ }
}
if (!isset($_POST['filename'])) {
git.p6c8.net / jirafeau.git / commitdiff