| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306 | <?php/* vim: set expandtab sw=4 ts=4 sts=4: *//** * This library is used with the server IP allow/deny host authentication * feature * * @package PhpMyAdmin */namespace PhpMyAdmin;use PhpMyAdmin\Core;require_once './libraries/hash.lib.php';/** * PhpMyAdmin\IpAllowDeny class * * @package PhpMyAdmin */class IpAllowDeny{    /**     * Matches for IPv4 or IPv6 addresses     *     * @param string $testRange string of IP range to match     * @param string $ipToTest  string of IP to test against range     *     * @return boolean    whether the IP mask matches     *     * @access  public     */    public static function ipMaskTest($testRange, $ipToTest)    {        if (mb_strpos($testRange, ':') > -1            || mb_strpos($ipToTest, ':') > -1        ) {            // assume IPv6            $result = self::ipv6MaskTest($testRange, $ipToTest);        } else {            $result = self::ipv4MaskTest($testRange, $ipToTest);        }        return $result;    } // end of the "self::ipMaskTest()" function    /**     * Based on IP Pattern Matcher     * Originally by J.Adams <jna@retina.net>     * Found on <https://www.php.net/manual/en/function.ip2long.php>     * Modified for phpMyAdmin     *     * Matches:     * xxx.xxx.xxx.xxx        (exact)     * xxx.xxx.xxx.[yyy-zzz]  (range)     * xxx.xxx.xxx.xxx/nn     (CIDR)     *     * Does not match:     * xxx.xxx.xxx.xx[yyy-zzz]  (range, partial octets not supported)     *     * @param string $testRange string of IP range to match     * @param string $ipToTest  string of IP to test against range     *     * @return boolean    whether the IP mask matches     *     * @access  public     */    public static function ipv4MaskTest($testRange, $ipToTest)    {        $result = true;        $match = preg_match(            '|([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/([0-9]+)|',            $testRange,            $regs        );        if ($match) {            // performs a mask match            $ipl    = ip2long($ipToTest);            $rangel = ip2long(                $regs[1] . '.' . $regs[2] . '.' . $regs[3] . '.' . $regs[4]            );            $maskl  = 0;            for ($i = 0; $i < 31; $i++) {                if ($i < $regs[5] - 1) {                    $maskl = $maskl + pow(2, (30 - $i));                } // end if            } // end for            return ($maskl & $rangel) == ($maskl & $ipl);        }        // range based        $maskocts = explode('.', $testRange);        $ipocts   = explode('.', $ipToTest);        // perform a range match        for ($i = 0; $i < 4; $i++) {            if (preg_match('|\[([0-9]+)\-([0-9]+)\]|', $maskocts[$i], $regs)) {                if (($ipocts[$i] > $regs[2]) || ($ipocts[$i] < $regs[1])) {                    $result = false;                } // end if            } else {                if ($maskocts[$i] <> $ipocts[$i]) {                    $result = false;                } // end if            } // end if/else        } //end for        return $result;    } // end of the "self::ipv4MaskTest()" function    /**     * IPv6 matcher     * CIDR section taken from https://stackoverflow.com/a/10086404     * Modified for phpMyAdmin     *     * Matches:     * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx     * (exact)     * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:[yyyy-zzzz]     * (range, only at end of IP - no subnets)     * xxxx:xxxx:xxxx:xxxx/nn     * (CIDR)     *     * Does not match:     * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx[yyy-zzz]     * (range, partial octets not supported)     *     * @param string $test_range string of IP range to match     * @param string $ip_to_test string of IP to test against range     *     * @return boolean    whether the IP mask matches     *     * @access  public     */    public static function ipv6MaskTest($test_range, $ip_to_test)    {        $result = true;        // convert to lowercase for easier comparison        $test_range = mb_strtolower($test_range);        $ip_to_test = mb_strtolower($ip_to_test);        $is_cidr = mb_strpos($test_range, '/') > -1;        $is_range = mb_strpos($test_range, '[') > -1;        $is_single = ! $is_cidr && ! $is_range;        $ip_hex = bin2hex(inet_pton($ip_to_test));        if ($is_single) {            $range_hex = bin2hex(inet_pton($test_range));            $result = hash_equals($ip_hex, $range_hex);            return $result;        }        if ($is_range) {            // what range do we operate on?            $range_match = array();            $match = preg_match(                '/\[([0-9a-f]+)\-([0-9a-f]+)\]/', $test_range, $range_match            );            if ($match) {                $range_start = $range_match[1];                $range_end   = $range_match[2];                // get the first and last allowed IPs                $first_ip  = str_replace($range_match[0], $range_start, $test_range);                $first_hex = bin2hex(inet_pton($first_ip));                $last_ip   = str_replace($range_match[0], $range_end, $test_range);                $last_hex  = bin2hex(inet_pton($last_ip));                // check if the IP to test is within the range                $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);            }            return $result;        }        if ($is_cidr) {            // Split in address and prefix length            list($first_ip, $subnet) = explode('/', $test_range);            // Parse the address into a binary string            $first_bin = inet_pton($first_ip);            $first_hex = bin2hex($first_bin);            $flexbits = 128 - $subnet;            // Build the hexadecimal string of the last address            $last_hex = $first_hex;            $pos = 31;            while ($flexbits > 0) {                // Get the character at this position                $orig = mb_substr($last_hex, $pos, 1);                // Convert it to an integer                $origval = hexdec($orig);                // OR it with (2^flexbits)-1, with flexbits limited to 4 at a time                $newval = $origval | (pow(2, min(4, $flexbits)) - 1);                // Convert it back to a hexadecimal character                $new = dechex($newval);                // And put that character back in the string                $last_hex = substr_replace($last_hex, $new, $pos, 1);                // We processed one nibble, move to previous position                $flexbits -= 4;                --$pos;            }            // check if the IP to test is within the range            $result = ($ip_hex >= $first_hex && $ip_hex <= $last_hex);        }        return $result;    } // end of the "self::ipv6MaskTest()" function    /**     * Runs through IP Allow/Deny rules the use of it below for more information     *     * @param string $type 'allow' | 'deny' type of rule to match     *     * @return bool   Whether rule has matched     *     * @access  public     *     * @see     Core::getIp()     */    public static function allowDeny($type)    {        global $cfg;        // Grabs true IP of the user and returns if it can't be found        $remote_ip = Core::getIp();        if (empty($remote_ip)) {            return false;        }        // copy username        $username  = $cfg['Server']['user'];        // copy rule database        if (isset($cfg['Server']['AllowDeny']['rules'])) {            $rules     = $cfg['Server']['AllowDeny']['rules'];            if (! is_array($rules)) {                $rules = array();            }        } else {            $rules = array();        }        // lookup table for some name shortcuts        $shortcuts = array(            'all'       => '0.0.0.0/0',            'localhost' => '127.0.0.1/8'        );        // Provide some useful shortcuts if server gives us address:        if (Core::getenv('SERVER_ADDR')) {            $shortcuts['localnetA'] = Core::getenv('SERVER_ADDR') . '/8';            $shortcuts['localnetB'] = Core::getenv('SERVER_ADDR') . '/16';            $shortcuts['localnetC'] = Core::getenv('SERVER_ADDR') . '/24';        }        foreach ($rules as $rule) {            // extract rule data            $rule_data = explode(' ', $rule);            // check for rule type            if ($rule_data[0] != $type) {                continue;            }            // check for username            if (($rule_data[1] != '%') //wildcarded first                && (! hash_equals($rule_data[1], $username))            ) {                continue;            }            // check if the config file has the full string with an extra            // 'from' in it and if it does, just discard it            if ($rule_data[2] == 'from') {                $rule_data[2] = $rule_data[3];            }            // Handle shortcuts with above array            if (isset($shortcuts[$rule_data[2]])) {                $rule_data[2] = $shortcuts[$rule_data[2]];            }            // Add code for host lookups here            // Excluded for the moment            // Do the actual matching now            if (self::ipMaskTest($rule_data[2], $remote_ip)) {                return true;            }        } // end while        return false;    } // end of the "self::allowDeny()" function}
 |