From: Jack Footner Date: Thu, 9 Mar 2023 05:02:57 +0000 (+1030) Subject: Add new `admin_ip` configuration option X-Git-Tag: 4.6.0~14^2~16 X-Git-Url: https://git.p6c8.net/jirafeau_project.git/commitdiff_plain/5bd3412d378c6de75c36737b5fd93eb214945469?ds=sidebyside;hp=-c Add new `admin_ip` configuration option --- 5bd3412d378c6de75c36737b5fd93eb214945469 diff --git a/admin.php b/admin.php index 68e0f3b..79918be 100644 --- a/admin.php +++ b/admin.php @@ -44,7 +44,8 @@ if (php_sapi_name() == "cli") { } else { die("No command found. Should be admin.php .\n"); } -} else { +// Second check: Challenge by IP +} elseif (true === jirafeau_challenge_admin_ip($cfg, get_ip_address($cfg))) { /* Disable admin interface if we have a empty admin password. */ if (empty($cfg['admin_password']) && empty($cfg['admin_http_auth_user'])) { require(JIRAFEAU_ROOT . 'lib/template/header.php'); @@ -301,5 +302,7 @@ if (php_sapi_name() == "cli") { } require(JIRAFEAU_ROOT.'lib/template/footer.php'); +} else { + jirafeau_fatal_error(t('ACCESS_KO'), $cfg); } ?> diff --git a/docker/README.md b/docker/README.md index 8d367ea..b30f63a 100644 --- a/docker/README.md +++ b/docker/README.md @@ -34,6 +34,7 @@ More details about options in `lib/config.original.php`. Available options: - `ADMIN_PASSWORD`: setup a specific admin password. If not set, a random password will be generated. +- `ADMIN_IP`: set one or more ip allowed to access admin interface (separated by comma). - `WEB_ROOT`: setup a specific domain to point at when generating links (e.g. 'jirafeau.mydomain.com/'). - `VAR_ROOT`: setup a specific path where to place files. default: '/data'. - `FILE_HASH`: can be set to `md5`, `partial_md5` or `random` (default). diff --git a/docker/docker_config.php b/docker/docker_config.php index 8c63134..2509fd0 100644 --- a/docker/docker_config.php +++ b/docker/docker_config.php @@ -172,6 +172,7 @@ function run_setup(&$cfg) env_2_cfg_int($cfg, 'maximal_upload_size'); env_2_cfg_string_array($cfg, 'upload_password'); env_2_cfg_string_array($cfg, 'upload_ip'); + env_2_cfg_string_array($cfg, 'admin_ip'); env_2_cfg_string_array($cfg, 'upload_ip_nopassword'); env_2_cfg_string_array($cfg, 'proxy_ip'); env_2_cfg_bool($cfg, 'store_uploader_ip'); diff --git a/lib/config.original.php b/lib/config.original.php index c666d03..1543089 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -108,6 +108,14 @@ $cfg['admin_password'] = ''; */ $cfg['admin_http_auth_user'] = ''; +/* List of IP allowed to access the admin interface. + * If the list is empty, then there is no admin interface restriction based on IP. + * Elements of the list can be a single IP (e.g. "123.45.67.89") or + * an IP range (e.g. "123.45.0.0/16"). + * Note that CIDR notation is available for IPv4 only for the moment. + */ +$cfg['admin_ip'] = array(); + /* Allow user to select different options for file expiration time. * Possible values in array: * 'minute': file is available for one minute diff --git a/lib/functions.php b/lib/functions.php index d6f7cb0..064d3a1 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -1385,6 +1385,31 @@ function jirafeau_challenge_upload($cfg, $ip, $password) (jirafeau_challenge_upload_password($cfg, $password) && jirafeau_challenge_upload_ip($cfg, $ip)); } +/** + * Check if Jirafeau has a restriction on the IP address for accessing the admin interface. + * @return true if admin interface is IP restricted, false otherwise. + */ +function jirafeau_admin_has_ip_restriction($cfg) +{ + return count($cfg['admin_ip']) > 0; +} + +/** + * Test if visitor's IP is authorized to access the admin interface. + * + * @param $cfg configuration + * @param $challengedIp IP to be challenged + * @return true if IP is authorized, false otherwise. + */ +function jirafeau_challenge_admin_ip($cfg, $challengedIp) +{ + // If no IP address have been listed, allow upload from any IP + if (!jirafeau_admin_has_ip_restriction($cfg)) { + return true; + } + return jirafeau_challenge_ip($cfg['admin_ip'], $challengedIp); +} + /** Tell if we have some HTTP headers generated by a proxy */ function has_http_forwarded() {