From 364d1c4437c45eda91dd0b8c5e92a098578f8b39 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Mon, 27 Apr 2015 20:07:29 +0200 Subject: [PATCH 1/1] add optional IP authentication for uploaders closes #34 Signed-off-by: Jerome Jutteau --- index.php | 8 ++++++++ lib/config.original.php | 7 +++++++ lib/functions.php | 24 ++++++++++++++++++++++++ script.php | 12 ++++++++++++ 4 files changed, 51 insertions(+) diff --git a/index.php b/index.php index 8cb0b86..4802e33 100644 --- a/index.php +++ b/index.php @@ -34,6 +34,14 @@ if (has_error ()) exit; } +/* Check if user is allowed to upload. */ +if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR'])) +{ + echo '

' . t('Access denied') . '

'; + require (JIRAFEAU_ROOT.'lib/template/footer.php'); + exit; +} + /* Ask password if upload password is set. */ if (jirafeau_has_upload_password ($cfg)) { diff --git a/lib/config.original.php b/lib/config.original.php index c0a1ed3..755b762 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -50,6 +50,13 @@ $cfg['link_name_length'] = 8; * ... and so on */ $cfg['upload_password'] = array(); +/* List of IP allowed to upload a file. + * If list is empty, then there is no upload restriction based on IP + * Elements of the list can be a single IP (e.g. "123.45.67.89") or + * an IP range (e.g. "123.45.0.0/16"). + * Note that CIDR notation is available for IPv4 only for the moment. + */ +$cfg['upload_ip'] = array(); /* An empty admin password will disable the classic admin password * authentication. */ diff --git a/lib/functions.php b/lib/functions.php index c2cad46..27e4fc3 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -1084,3 +1084,27 @@ function jirafeau_challenge_upload_password ($cfg, $password) return false; } +/** + * Test if visitor's IP is authorized to upload. + * @param $ip IP to be challenged + * @return true if IP is authorized, false otherwise. + */ +function jirafeau_challenge_upload_ip ($cfg, $ip) +{ + if (count ($cfg['upload_ip']) == 0) + return true; + forEach ($cfg['upload_ip'] as $i) + { + if ($i == $ip) + return true; + // CIDR test for IPv4 only. + if (strpos ($i, '/') !== false) + { + list ($subnet, $mask) = explode('/', $i); + if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) + return true; + } + } + return false; +} + diff --git a/script.php b/script.php index 99c5ec0..93599c9 100644 --- a/script.php +++ b/script.php @@ -218,6 +218,12 @@ if (has_error ()) if (isset ($_FILES['file']) && is_writable (VAR_FILES) && is_writable (VAR_LINKS)) { + if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR'])) + { + echo "Error"; + exit; + } + if (jirafeau_has_upload_password ($cfg) && (!isset ($_POST['upload_password']) || !jirafeau_challenge_upload_password ($cfg, $_POST['upload_password']))) @@ -505,6 +511,12 @@ fi /* Initialize an asynchronous upload. */ elseif (isset ($_GET['init_async'])) { + if (!jirafeau_challenge_upload_ip ($cfg, $_SERVER['REMOTE_ADDR'])) + { + echo "Error"; + exit; + } + if (jirafeau_has_upload_password ($cfg) && (!isset ($_POST['upload_password']) || !jirafeau_challenge_upload_password ($cfg, $_POST['upload_password']))) -- 2.34.1