From 364d1c4437c45eda91dd0b8c5e92a098578f8b39 Mon Sep 17 00:00:00 2001
From: Jerome Jutteau <mojo@couak.net>
Date: Mon, 27 Apr 2015 20:07:29 +0200
Subject: [PATCH] add optional IP authentication for uploaders

closes #34

Signed-off-by: Jerome Jutteau <mojo@couak.net>
---
 index.php               |  8 ++++++++
 lib/config.original.php |  7 +++++++
 lib/functions.php       | 24 ++++++++++++++++++++++++
 script.php              | 12 ++++++++++++
 4 files changed, 51 insertions(+)

diff --git a/index.php b/index.php
index 8cb0b86..4802e33 100644
--- a/index.php
+++ b/index.php
@@ -34,6 +34,14 @@ if (has_error ())
     exit;
 }
 
+/* Check if user is allowed to upload. */
+if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR']))
+{
+    echo '<div class="error"><p>' . t('Access denied') . '</p></div>';
+    require (JIRAFEAU_ROOT.'lib/template/footer.php');
+    exit;
+}
+
 /* Ask password if upload password is set. */
 if (jirafeau_has_upload_password ($cfg))
 {
diff --git a/lib/config.original.php b/lib/config.original.php
index c0a1ed3..755b762 100644
--- a/lib/config.original.php
+++ b/lib/config.original.php
@@ -50,6 +50,13 @@ $cfg['link_name_length'] = 8;
  * ... and so on
  */
 $cfg['upload_password'] = array();
+/* List of IP allowed to upload a file.
+ * If list is empty, then there is no upload restriction based on IP
+ * Elements of the list can be a single IP (e.g. "123.45.67.89") or
+ * an IP range (e.g. "123.45.0.0/16").
+ * Note that CIDR notation is available for IPv4 only for the moment.
+ */
+$cfg['upload_ip'] = array();
 /* An empty admin password will disable the classic admin password
  * authentication.
  */
diff --git a/lib/functions.php b/lib/functions.php
index c2cad46..27e4fc3 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1084,3 +1084,27 @@ function jirafeau_challenge_upload_password ($cfg, $password)
     return false;
 }
 
+/**
+ * Test if visitor's IP is authorized to upload.
+ * @param $ip IP to be challenged
+ * @return true if IP is authorized, false otherwise.
+ */
+function jirafeau_challenge_upload_ip ($cfg, $ip)
+{
+    if (count ($cfg['upload_ip']) == 0)
+        return true;
+    forEach ($cfg['upload_ip'] as $i)
+    {
+        if ($i == $ip)
+            return true;
+        // CIDR test for IPv4 only.
+        if (strpos ($i, '/') !== false)
+        {
+            list ($subnet, $mask) = explode('/', $i);
+            if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet))
+                return true;
+        }
+    }
+    return false;
+}
+
diff --git a/script.php b/script.php
index 99c5ec0..93599c9 100644
--- a/script.php
+++ b/script.php
@@ -218,6 +218,12 @@ if (has_error ())
 if (isset ($_FILES['file']) && is_writable (VAR_FILES)
     && is_writable (VAR_LINKS))
 {
+    if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR']))
+    {
+        echo "Error";
+        exit;
+    }
+
     if (jirafeau_has_upload_password ($cfg) &&
          (!isset ($_POST['upload_password']) ||
           !jirafeau_challenge_upload_password ($cfg, $_POST['upload_password'])))
@@ -505,6 +511,12 @@ fi
 /* Initialize an asynchronous upload. */
 elseif (isset ($_GET['init_async']))
 {
+    if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR']))
+    {
+        echo "Error";
+        exit;
+    }
+
     if (jirafeau_has_upload_password ($cfg) &&
          (!isset ($_POST['upload_password']) ||
           !jirafeau_challenge_upload_password ($cfg, $_POST['upload_password'])))
-- 
2.34.1