fixed: bugID = 3112614
[phpmyadmin/adnan.git] / libraries / ip_allow_deny.lib.php
blob30bce24a748c2ff3f95415318caaa062b0ef5bd4
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * This library is used with the server IP allow/deny host authentication
5 * feature
7 * @package phpMyAdmin
8 */
11 /**
12 * Gets the "true" IP address of the current user
14 * @return string the ip of the user
16 * @access private
18 function PMA_getIp()
20 /* Get the address of user */
21 if (!empty($_SERVER['REMOTE_ADDR'])) {
22 $direct_ip = $_SERVER['REMOTE_ADDR'];
23 } else {
24 /* We do not know remote IP */
25 return false;
28 /* Do we trust this IP as a proxy? If yes we will use it's header. */
29 if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
30 $trusted_header_value = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
31 $matches = array();
32 // the $ checks that the header contains only one IP address, ?: makes sure the () don't capture
33 $is_ip = preg_match('|^(?:[0-9]{1,3}\.){3,3}[0-9]{1,3}$|', $trusted_header_value, $matches);
34 if ($is_ip && (count($matches) == 1)) {
35 // True IP behind a proxy
36 return $matches[0];
40 /* Return true IP */
41 return $direct_ip;
42 } // end of the 'PMA_getIp()' function
45 /**
46 * Based on IP Pattern Matcher
47 * Originally by J.Adams <jna@retina.net>
48 * Found on <http://www.php.net/manual/en/function.ip2long.php>
49 * Modified for phpMyAdmin
51 * Matches:
52 * xxx.xxx.xxx.xxx (exact)
53 * xxx.xxx.xxx.[yyy-zzz] (range)
54 * xxx.xxx.xxx.xxx/nn (CIDR)
56 * Does not match:
57 * xxx.xxx.xxx.xx[yyy-zzz] (range, partial octets not supported)
59 * @param string string of IP range to match
60 * @param string string of IP to test against range
62 * @return boolean always true
64 * @access public
66 function PMA_ipMaskTest($testRange, $ipToTest)
68 $result = true;
70 if (preg_match('|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|', $testRange, $regs)) {
71 // performs a mask match
72 $ipl = ip2long($ipToTest);
73 $rangel = ip2long($regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]);
75 $maskl = 0;
77 for ($i = 0; $i < 31; $i++) {
78 if ($i < $regs[5] - 1) {
79 $maskl = $maskl + PMA_pow(2, (30 - $i));
80 } // end if
81 } // end for
83 if (($maskl & $rangel) == ($maskl & $ipl)) {
84 return true;
85 } else {
86 return false;
88 } else {
89 // range based
90 $maskocts = explode('.', $testRange);
91 $ipocts = explode('.', $ipToTest);
93 // perform a range match
94 for ($i = 0; $i < 4; $i++) {
95 if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
96 if (($ipocts[$i] > $regs[2])
97 || ($ipocts[$i] < $regs[1])) {
98 $result = false;
99 } // end if
100 } else {
101 if ($maskocts[$i] <> $ipocts[$i]) {
102 $result = false;
103 } // end if
104 } // end if/else
105 } //end for
106 } //end if/else
108 return $result;
109 } // end of the "PMA_IPMaskTest()" function
113 * Runs through IP Allow/Deny rules the use of it below for more information
115 * @param string 'allow' | 'deny' type of rule to match
117 * @return bool Matched a rule ?
119 * @access public
121 * @see PMA_getIp()
123 function PMA_allowDeny($type)
125 global $cfg;
127 // Grabs true IP of the user and returns if it can't be found
128 $remote_ip = PMA_getIp();
129 if (empty($remote_ip)) {
130 return false;
133 // copy username
134 $username = $cfg['Server']['user'];
136 // copy rule database
137 $rules = $cfg['Server']['AllowDeny']['rules'];
139 // lookup table for some name shortcuts
140 $shortcuts = array(
141 'all' => '0.0.0.0/0',
142 'localhost' => '127.0.0.1/8'
145 // Provide some useful shortcuts if server gives us address:
146 if (PMA_getenv('SERVER_ADDR')) {
147 $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
148 $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
149 $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
152 foreach ($rules as $rule) {
153 // extract rule data
154 $rule_data = explode(' ', $rule);
156 // check for rule type
157 if ($rule_data[0] != $type) {
158 continue;
161 // check for username
162 if (($rule_data[1] != '%') //wildcarded first
163 && ($rule_data[1] != $username)) {
164 continue;
167 // check if the config file has the full string with an extra
168 // 'from' in it and if it does, just discard it
169 if ($rule_data[2] == 'from') {
170 $rule_data[2] = $rule_data[3];
173 // Handle shortcuts with above array
174 if (isset($shortcuts[$rule_data[2]])) {
175 $rule_data[2] = $shortcuts[$rule_data[2]];
178 // Add code for host lookups here
179 // Excluded for the moment
181 // Do the actual matching now
182 if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
183 return true;
185 } // end while
187 return false;
188 } // end of the "PMA_AllowDeny()" function