2.11.1.2 release
[phpmyadmin/arisferyanto.git] / libraries / ip_allow_deny.lib.php
blob205ea26bea7643bcd5c4b529e4988203304e77ea
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * This library is used with the server IP allow/deny host authentication
5 * feature
7 * @version $Id$
8 */
11 /**
12 * Gets the "true" IP address of the current user
14 * @return string the ip of the user
16 * @access private
18 function PMA_getIp()
20 /* Get the address of user */
21 if (!empty($_SERVER['REMOTE_ADDR'])) {
22 $direct_ip = $_SERVER['REMOTE_ADDR'];
23 } else {
24 /* We do not know remote IP */
25 return false;
28 /* Do we trust this IP as a proxy? If yes we will use it's header. */
29 if (isset($GLOBALS['cfg']['TrustedProxies'][$direct_ip])) {
30 $proxy_ip = PMA_getenv($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
31 // the $ checks that the header contains only one IP address
32 $is_ip = preg_match('|^([0-9]{1,3}\.){3,3}[0-9]{1,3}$|', $proxy_ip, $regs);
33 if ($is_ip && (count($regs) > 0)) {
34 // True IP behind a proxy
35 return $regs[0];
39 /* Return true IP */
40 return $direct_ip;
41 } // end of the 'PMA_getIp()' function
44 /**
45 * Based on IP Pattern Matcher
46 * Originally by J.Adams <jna@retina.net>
47 * Found on <http://www.php.net/manual/en/function.ip2long.php>
48 * Modified by Robbat2 <robbat2@users.sourceforge.net>
50 * Matches:
51 * xxx.xxx.xxx.xxx (exact)
52 * xxx.xxx.xxx.[yyy-zzz] (range)
53 * xxx.xxx.xxx.xxx/nn (CIDR)
55 * Does not match:
56 * xxx.xxx.xxx.xx[yyy-zzz] (range, partial octets not supported)
58 * @param string string of IP range to match
59 * @param string string of IP to test against range
61 * @return boolean always true
63 * @access public
65 function PMA_ipMaskTest($testRange, $ipToTest)
67 $result = true;
69 if (preg_match('|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|', $testRange, $regs)) {
70 // performs a mask match
71 $ipl = ip2long($ipToTest);
72 $rangel = ip2long($regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]);
74 $maskl = 0;
76 for ($i = 0; $i < 31; $i++) {
77 if ($i < $regs[5] - 1) {
78 $maskl = $maskl + PMA_pow(2, (30 - $i));
79 } // end if
80 } // end for
82 if (($maskl & $rangel) == ($maskl & $ipl)) {
83 return true;
84 } else {
85 return false;
87 } else {
88 // range based
89 $maskocts = explode('.', $testRange);
90 $ipocts = explode('.', $ipToTest);
92 // perform a range match
93 for ($i = 0; $i < 4; $i++) {
94 if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
95 if (($ipocts[$i] > $regs[2])
96 || ($ipocts[$i] < $regs[1])) {
97 $result = false;
98 } // end if
99 } else {
100 if ($maskocts[$i] <> $ipocts[$i]) {
101 $result = false;
102 } // end if
103 } // end if/else
104 } //end for
105 } //end if/else
107 return $result;
108 } // end of the "PMA_IPMaskTest()" function
112 * Runs through IP Allow/Deny rules the use of it below for more information
114 * @param string 'allow' | 'deny' type of rule to match
116 * @return bool Matched a rule ?
118 * @access public
120 * @see PMA_getIp()
122 function PMA_allowDeny($type)
124 global $cfg;
126 // Grabs true IP of the user and returns if it can't be found
127 $remote_ip = PMA_getIp();
128 if (empty($remote_ip)) {
129 return false;
132 // copy username
133 $username = $cfg['Server']['user'];
135 // copy rule database
136 $rules = $cfg['Server']['AllowDeny']['rules'];
138 // lookup table for some name shortcuts
139 $shortcuts = array(
140 'all' => '0.0.0.0/0',
141 'localhost' => '127.0.0.1/8'
144 // Provide some useful shortcuts if server gives us address:
145 if (PMA_getenv('SERVER_ADDR')) {
146 $shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
147 $shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
148 $shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
151 foreach ($rules as $rule) {
152 // extract rule data
153 $rule_data = explode(' ', $rule);
155 // check for rule type
156 if ($rule_data[0] != $type) {
157 continue;
160 // check for username
161 if (($rule_data[1] != '%') //wildcarded first
162 && ($rule_data[1] != $username)) {
163 continue;
166 // check if the config file has the full string with an extra
167 // 'from' in it and if it does, just discard it
168 if ($rule_data[2] == 'from') {
169 $rule_data[2] = $rule_data[3];
172 // Handle shortcuts with above array
173 // DON'T use "array_key_exists" as it's only PHP 4.1 and newer.
174 if (isset($shortcuts[$rule_data[2]])) {
175 $rule_data[2] = $shortcuts[$rule_data[2]];
178 // Add code for host lookups here
179 // Excluded for the moment
181 // Do the actual matching now
182 if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
183 return true;
185 } // end while
187 return false;
188 } // end of the "PMA_AllowDeny()" function