add optional IP authentication for uploaders

closes #34

Signed-off-by: Jerome Jutteau <mojo@couak.net>

diff --git a/index.php b/index.php
index 8cb0b864d9d606a8f9b7ec0b8377385f73ae5617..4802e33a9dc99efed5de21a3ec92b6ed090f824d 100644 (file)
--- a/index.php
+++ b/index.php
@@ -34,6 +34,14 @@ if (has_error ())
     exit;
 }
 
+/* Check if user is allowed to upload. */
+if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR']))
+{
+    echo '<div class="error"><p>' . t('Access denied') . '</p></div>';
+    require (JIRAFEAU_ROOT.'lib/template/footer.php');
+    exit;
+}
+
 /* Ask password if upload password is set. */
 if (jirafeau_has_upload_password ($cfg))
 {

diff --git a/lib/config.original.php b/lib/config.original.php
index c0a1ed3630eb3a09247041f31a4b154c00e92dfe..755b762aea1912f2d97507c3a74016f7a764f0f2 100644 (file)
--- a/lib/config.original.php
+++ b/lib/config.original.php
@@ -50,6 +50,13 @@ $cfg['link_name_length'] = 8;
  * ... and so on
  */
 $cfg['upload_password'] = array();
+/* List of IP allowed to upload a file.
+ * If list is empty, then there is no upload restriction based on IP
+ * Elements of the list can be a single IP (e.g. "123.45.67.89") or
+ * an IP range (e.g. "123.45.0.0/16").
+ * Note that CIDR notation is available for IPv4 only for the moment.
+ */
+$cfg['upload_ip'] = array();
 /* An empty admin password will disable the classic admin password
  * authentication.
  */

diff --git a/lib/functions.php b/lib/functions.php
index c2cad4653d209eab87a083dff6e359f90644f9d1..27e4fc3862ad0c299980801ff79e94d905ee2e46 100644 (file)
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1084,3 +1084,27 @@ function jirafeau_challenge_upload_password ($cfg, $password)
     return false;
 }
 
+/**
+ * Test if visitor's IP is authorized to upload.
+ * @param $ip IP to be challenged
+ * @return true if IP is authorized, false otherwise.
+ */
+function jirafeau_challenge_upload_ip ($cfg, $ip)
+{
+    if (count ($cfg['upload_ip']) == 0)
+        return true;
+    forEach ($cfg['upload_ip'] as $i)
+    {
+        if ($i == $ip)
+            return true;
+        // CIDR test for IPv4 only.
+        if (strpos ($i, '/') !== false)
+        {
+            list ($subnet, $mask) = explode('/', $i);
+            if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet))
+                return true;
+        }
+    }
+    return false;
+}
+

diff --git a/script.php b/script.php
index 99c5ec0116a663661b5f8ee36ffe947d7f196a6f..93599c9763855bde705862aaec3c004270c12bea 100644 (file)
--- a/script.php
+++ b/script.php
@@ -218,6 +218,12 @@ if (has_error ())
 if (isset ($_FILES['file']) && is_writable (VAR_FILES)
     && is_writable (VAR_LINKS))
 {
+    if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR']))
+    {
+        echo "Error";
+        exit;
+    }
+
     if (jirafeau_has_upload_password ($cfg) &&
          (!isset ($_POST['upload_password']) ||
           !jirafeau_challenge_upload_password ($cfg, $_POST['upload_password'])))
@@ -505,6 +511,12 @@ fi
 /* Initialize an asynchronous upload. */
 elseif (isset ($_GET['init_async']))
 {
+    if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR']))
+    {
+        echo "Error";
+        exit;
+    }
+
     if (jirafeau_has_upload_password ($cfg) &&
          (!isset ($_POST['upload_password']) ||
           !jirafeau_challenge_upload_password ($cfg, $_POST['upload_password'])))