123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306 |
- <?php
- /* vim: set expandtab sw=4 ts=4 sts=4: */
- /**
- * This library is used with the server IP allow/deny host authentication
- * feature
- *
- * @package PhpMyAdmin
- */
- namespace PhpMyAdmin;
- use PhpMyAdmin\Core;
- require_once './libraries/hash.lib.php';
- /**
- * PhpMyAdmin\IpAllowDeny class
- *
- * @package PhpMyAdmin
- */
- class IpAllowDeny
- {
- /**
- * Matches for IPv4 or IPv6 addresses
- *
- * @param string $testRange string of IP range to match
- * @param string $ipToTest string of IP to test against range
- *
- * @return boolean whether the IP mask matches
- *
- * @access public
- */
- public static function ipMaskTest($testRange, $ipToTest)
- {
- if (mb_strpos($testRange, ':') > -1
- || mb_strpos($ipToTest, ':') > -1
- ) {
- // assume IPv6
- $result = self::ipv6MaskTest($testRange, $ipToTest);
- } else {
- $result = self::ipv4MaskTest($testRange, $ipToTest);
- }
- return $result;
- } // end of the "self::ipMaskTest()" function
- /**
- * Based on IP Pattern Matcher
- * Originally by J.Adams <jna@retina.net>
- * Found on <https://www.php.net/manual/en/function.ip2long.php>
- * Modified for phpMyAdmin
- *
- * Matches:
- * xxx.xxx.xxx.xxx (exact)
- * xxx.xxx.xxx.[yyy-zzz] (range)
- * xxx.xxx.xxx.xxx/nn (CIDR)
- *
- * Does not match:
- * xxx.xxx.xxx.xx[yyy-zzz] (range, partial octets not supported)
- *
- * @param string $testRange string of IP range to match
- * @param string $ipToTest string of IP to test against range
- *
- * @return boolean whether the IP mask matches
- *
- * @access public
- */
- public static function ipv4MaskTest($testRange, $ipToTest)
- {
- $result = true;
- $match = preg_match(
- '|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|',
- $testRange,
- $regs
- );
- if ($match) {
- // performs a mask match
- $ipl = ip2long($ipToTest);
- $rangel = ip2long(
- $regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]
- );
- $maskl = 0;
- for ($i = 0; $i < 31; $i++) {
- if ($i < $regs[5] - 1) {
- $maskl = $maskl + pow(2, (30 - $i));
- } // end if
- } // end for
- return ($maskl & $rangel) == ($maskl & $ipl);
- }
- // range based
- $maskocts = explode('.', $testRange);
- $ipocts = explode('.', $ipToTest);
- // perform a range match
- for ($i = 0; $i < 4; $i++) {
- if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {
- if (($ipocts[$i] > $regs[2]) || ($ipocts[$i] < $regs[1])) {
- $result = false;
- } // end if
- } else {
- if ($maskocts[$i] <> $ipocts[$i]) {
- $result = false;
- } // end if
- } // end if/else
- } //end for
- return $result;
- } // end of the "self::ipv4MaskTest()" function
- /**
- * IPv6 matcher
- * CIDR section taken from https://stackoverflow.com/a/10086404
- * Modified for phpMyAdmin
- *
- * Matches:
- * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
- * (exact)
- * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:[yyyy-zzzz]
- * (range, only at end of IP - no subnets)
- * xxxx:xxxx:xxxx:xxxx/nn
- * (CIDR)
- *
- * Does not match:
- * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx[yyy-zzz]
- * (range, partial octets not supported)
- *
- * @param string $test_range string of IP range to match
- * @param string $ip_to_test string of IP to test against range
- *
- * @return boolean whether the IP mask matches
- *
- * @access public
- */
- public static function ipv6MaskTest($test_range, $ip_to_test)
- {
- $result = true;
- // convert to lowercase for easier comparison
- $test_range = mb_strtolower($test_range);
- $ip_to_test = mb_strtolower($ip_to_test);
- $is_cidr = mb_strpos($test_range, '/') > -1;
- $is_range = mb_strpos($test_range, '[') > -1;
- $is_single = ! $is_cidr && ! $is_range;
- $ip_hex = bin2hex(inet_pton($ip_to_test));
- if ($is_single) {
- $range_hex = bin2hex(inet_pton($test_range));
- $result = hash_equals($ip_hex, $range_hex);
- return $result;
- }
- if ($is_range) {
- // what range do we operate on?
- $range_match = array();
- $match = preg_match(
- '/\[([0-9a-f]+)\-([0-9a-f]+)\]/', $test_range, $range_match
- );
- if ($match) {
- $range_start = $range_match[1];
- $range_end = $range_match[2];
- // get the first and last allowed IPs
- $first_ip = str_replace($range_match[0], $range_start, $test_range);
- $first_hex = bin2hex(inet_pton($first_ip));
- $last_ip = str_replace($range_match[0], $range_end, $test_range);
- $last_hex = bin2hex(inet_pton($last_ip));
- // check if the IP to test is within the range
- $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);
- }
- return $result;
- }
- if ($is_cidr) {
- // Split in address and prefix length
- list($first_ip, $subnet) = explode('/', $test_range);
- // Parse the address into a binary string
- $first_bin = inet_pton($first_ip);
- $first_hex = bin2hex($first_bin);
- $flexbits = 128 - $subnet;
- // Build the hexadecimal string of the last address
- $last_hex = $first_hex;
- $pos = 31;
- while ($flexbits > 0) {
- // Get the character at this position
- $orig = mb_substr($last_hex, $pos, 1);
- // Convert it to an integer
- $origval = hexdec($orig);
- // OR it with (2^flexbits)-1, with flexbits limited to 4 at a time
- $newval = $origval | (pow(2, min(4, $flexbits)) - 1);
- // Convert it back to a hexadecimal character
- $new = dechex($newval);
- // And put that character back in the string
- $last_hex = substr_replace($last_hex, $new, $pos, 1);
- // We processed one nibble, move to previous position
- $flexbits -= 4;
- --$pos;
- }
- // check if the IP to test is within the range
- $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);
- }
- return $result;
- } // end of the "self::ipv6MaskTest()" function
- /**
- * Runs through IP Allow/Deny rules the use of it below for more information
- *
- * @param string $type 'allow' | 'deny' type of rule to match
- *
- * @return bool Whether rule has matched
- *
- * @access public
- *
- * @see Core::getIp()
- */
- public static function allowDeny($type)
- {
- global $cfg;
- // Grabs true IP of the user and returns if it can't be found
- $remote_ip = Core::getIp();
- if (empty($remote_ip)) {
- return false;
- }
- // copy username
- $username = $cfg['Server']['user'];
- // copy rule database
- if (isset($cfg['Server']['AllowDeny']['rules'])) {
- $rules = $cfg['Server']['AllowDeny']['rules'];
- if (! is_array($rules)) {
- $rules = array();
- }
- } else {
- $rules = array();
- }
- // lookup table for some name shortcuts
- $shortcuts = array(
- 'all' => '0.0.0.0/0',
- 'localhost' => '127.0.0.1/8'
- );
- // Provide some useful shortcuts if server gives us address:
- if (Core::getenv('SERVER_ADDR')) {
- $shortcuts['localnetA'] = Core::getenv('SERVER_ADDR') . '/8';
- $shortcuts['localnetB'] = Core::getenv('SERVER_ADDR') . '/16';
- $shortcuts['localnetC'] = Core::getenv('SERVER_ADDR') . '/24';
- }
- foreach ($rules as $rule) {
- // extract rule data
- $rule_data = explode(' ', $rule);
- // check for rule type
- if ($rule_data[0] != $type) {
- continue;
- }
- // check for username
- if (($rule_data[1] != '%') //wildcarded first
- && (! hash_equals($rule_data[1], $username))
- ) {
- continue;
- }
- // check if the config file has the full string with an extra
- // 'from' in it and if it does, just discard it
- if ($rule_data[2] == 'from') {
- $rule_data[2] = $rule_data[3];
- }
- // Handle shortcuts with above array
- if (isset($shortcuts[$rule_data[2]])) {
- $rule_data[2] = $shortcuts[$rule_data[2]];
- }
- // Add code for host lookups here
- // Excluded for the moment
- // Do the actual matching now
- if (self::ipMaskTest($rule_data[2], $remote_ip)) {
- return true;
- }
- } // end while
- return false;
- } // end of the "self::allowDeny()" function
- }
|