From f65244fc26208f942fbe5e5cdf5a6570dc493005 Mon Sep 17 00:00:00 2001 From: Marc Hauswirth Date: Mon, 13 Feb 2017 22:55:25 +0100 Subject: [PATCH] ip or password (see issue 107) --- index.php | 97 +++++++++++++++++++++++------------------------ lib/functions.php | 39 +++++++++++++++++++ script.php | 63 +++++++++++++++--------------- 3 files changed, 117 insertions(+), 82 deletions(-) diff --git a/index.php b/index.php index b8feabd..39eded5 100644 --- a/index.php +++ b/index.php @@ -35,64 +35,61 @@ require(JIRAFEAU_ROOT . 'lib/template/header.php'); /* Check if user is allowed to upload. */ if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { - echo '

' . t('Access denied') . '

'; - require(JIRAFEAU_ROOT.'lib/template/footer.php'); - exit; -} -/* Ask password if upload password is set. */ -if (jirafeau_has_upload_password($cfg)) { - session_start(); + /* Ask password if upload password is set. */ + if (jirafeau_has_upload_password($cfg)) { + session_start(); - /* Unlog if asked. */ - if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) { - session_unset(); - } + /* Unlog if asked. */ + if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) { + session_unset(); + } - /* Auth. */ - if (isset($_POST['upload_password'])) { - if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) { - $_SESSION['upload_auth'] = true; - $_SESSION['user_upload_password'] = $_POST['upload_password']; - } else { - $_SESSION['admin_auth'] = false; - echo '

' . t('Wrong password.') . '

'; + /* Auth. */ + if (isset($_POST['upload_password'])) { + if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) { + $_SESSION['upload_auth'] = true; + $_SESSION['user_upload_password'] = $_POST['upload_password']; + } else { + $_SESSION['admin_auth'] = false; + echo '

' . t('Wrong password.') . '

'; + require(JIRAFEAU_ROOT.'lib/template/footer.php'); + exit; + } + } + + /* Show auth page. */ + if (!isset($_SESSION['upload_auth']) || $_SESSION['upload_auth'] != true) { + ?> +
+
+ + + + + + + + + +
+ +
+
+
+ -
-
- - - - - - - - - -
- -
-
-
-

diff --git a/lib/functions.php b/lib/functions.php index 4d698c2..99c11ec 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -1079,6 +1079,45 @@ function jirafeau_challenge_upload_ip($cfg, $ip) return false; } +/** + * Test if visitor's IP is authorized or password is supplied and authorized + * @param $ip IP to be challenged + * @param $password password to be challenged + * @return true if access is valid, false otherwise. + */ +function jirafeau_challenge_upload ($cfg, $ip, $password) +{ + // Allow if no ip restrictaion and no password restriction + if ((count ($cfg['upload_ip']) == 0) and (count ($cfg['upload_password']) == 0)) { + return true; + } + + // Allow if ip is in array + foreach ($cfg['upload_ip'] as $i) { + if ($i == $ip) { + return true; + } + // CIDR test for IPv4 only. + if (strpos ($i, '/') !== false) + { + list ($subnet, $mask) = explode('/', $i); + if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) { + return true; + } + } + } + if (!jirafeau_has_upload_password($cfg)) { + return false; + } + + foreach ($cfg['upload_password'] as $p) { + if ($password == $p) { + return true; + } + } + return false; +} + /** Tell if we have some HTTP headers generated by a proxy */ function has_http_forwarded() { diff --git a/script.php b/script.php index 2eb6b4a..f00b1df 100644 --- a/script.php +++ b/script.php @@ -70,18 +70,18 @@ if (has_error()) { /* Upload file */ if (isset($_FILES['file']) && is_writable(VAR_FILES) && is_writable(VAR_LINKS)) { - if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { - echo 'Error 2'; - exit; + if (isset ($_POST['upload_password'])) { + if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) { + echo 'Error 3: Invalid password'; + exit; + } + } else { + if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) { + echo 'Error 2: No password nor allowed IP'; + exit; + } } - - if (jirafeau_has_upload_password($cfg) && - (!isset($_POST['upload_password']) || - !jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) { - echo 'Error 3'; - exit; - } - + $key = ''; if (isset($_POST['key'])) { $key = $_POST['key']; @@ -365,17 +365,16 @@ fi } /* Create alias. */ elseif (isset($_GET['alias_create'])) { - $ip = get_ip_address($cfg); - if (!jirafeau_challenge_upload_ip($cfg, $ip)) { - echo 'Error 13'; - exit; - } - - if (jirafeau_has_upload_password($cfg) && - (!isset($_POST['upload_password']) || - !jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) { - echo 'Error 14'; - exit; + if (isset($_POST['upload_password'])){ + if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) { + echo 'Error 14: Invalid password'; + exit; + } + } else { + if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) { + echo 'Error 13: No password nor allowed IP'; + exit; + } } if (!isset($_POST['alias']) || @@ -432,16 +431,16 @@ elseif (isset($_GET['alias_delete'])) { } /* Initialize an asynchronous upload. */ elseif (isset($_GET['init_async'])) { - if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { - echo 'Error 19'; - exit; - } - - if (jirafeau_has_upload_password($cfg) && - (!isset($_POST['upload_password']) || - !jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) { - echo 'Error 20'; - exit; + if (isset($_POST['upload_password'])){ + if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) { + echo 'Error 20: Invalid password'; + exit; + } + } else { + if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) { + echo 'Error 19: No password nor allowed IP'; + exit; + } } if (!isset($_POST['filename'])) {