mirror of
https://gitlab.com/mojo42/Jirafeau.git
synced 2025-01-17 21:08:20 +01:00
ip or password (see issue 107)
This commit is contained in:
Marc Hauswirth
Jerome Jutteau
parent
169cbfa6f1
commit
f65244fc26
95
index.php
95
index.php
@ -35,62 +35,59 @@ require(JIRAFEAU_ROOT . 'lib/template/header.php');
|
||||
|
||||
/* Check if user is allowed to upload. */
|
||||
if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
|
||||
echo '<div class="error"><p>' . t('Access denied') . '</p></div>';
|
||||
require(JIRAFEAU_ROOT.'lib/template/footer.php');
|
||||
exit;
|
||||
}
|
||||
|
||||
/* Ask password if upload password is set. */
|
||||
if (jirafeau_has_upload_password($cfg)) {
|
||||
session_start();
|
||||
/* Ask password if upload password is set. */
|
||||
if (jirafeau_has_upload_password($cfg)) {
|
||||
session_start();
|
||||
|
||||
/* Unlog if asked. */
|
||||
if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
|
||||
session_unset();
|
||||
}
|
||||
/* Unlog if asked. */
|
||||
if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
|
||||
session_unset();
|
||||
}
|
||||
|
||||
/* Auth. */
|
||||
if (isset($_POST['upload_password'])) {
|
||||
if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) {
|
||||
$_SESSION['upload_auth'] = true;
|
||||
$_SESSION['user_upload_password'] = $_POST['upload_password'];
|
||||
} else {
|
||||
$_SESSION['admin_auth'] = false;
|
||||
echo '<div class="error"><p>' . t('Wrong password.') . '</p></div>';
|
||||
/* Auth. */
|
||||
if (isset($_POST['upload_password'])) {
|
||||
if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) {
|
||||
$_SESSION['upload_auth'] = true;
|
||||
$_SESSION['user_upload_password'] = $_POST['upload_password'];
|
||||
} else {
|
||||
$_SESSION['admin_auth'] = false;
|
||||
echo '<div class="error"><p>' . t('Wrong password.') . '</p></div>';
|
||||
require(JIRAFEAU_ROOT.'lib/template/footer.php');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
/* Show auth page. */
|
||||
if (!isset($_SESSION['upload_auth']) || $_SESSION['upload_auth'] != true) {
|
||||
?>
|
||||
<form action = "<?php echo basename(__FILE__); ?>" method = "post">
|
||||
<fieldset>
|
||||
<table>
|
||||
<tr>
|
||||
<td class = "label"><label for = "enter_password">
|
||||
<?php echo t('Upload password') . ':'; ?></label>
|
||||
</td>
|
||||
<td class = "field"><input type = "password"
|
||||
name = "upload_password" id = "upload_password"
|
||||
size = "40" />
|
||||
</td>
|
||||
</tr>
|
||||
<tr class = "nav">
|
||||
<td></td>
|
||||
<td class = "nav next">
|
||||
<input type = "submit" name = "key" value =
|
||||
"<?php echo t('Login'); ?>" />
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</fieldset>
|
||||
</form>
|
||||
<?php
|
||||
require(JIRAFEAU_ROOT.'lib/template/footer.php');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
/* Show auth page. */
|
||||
if (!isset($_SESSION['upload_auth']) || $_SESSION['upload_auth'] != true) {
|
||||
?>
|
||||
<form action = "<?php echo basename(__FILE__); ?>" method = "post">
|
||||
<fieldset>
|
||||
<table>
|
||||
<tr>
|
||||
<td class = "label"><label for = "enter_password">
|
||||
<?php echo t('Upload password') . ':'; ?></label>
|
||||
</td>
|
||||
<td class = "field"><input type = "password"
|
||||
name = "upload_password" id = "upload_password"
|
||||
size = "40" />
|
||||
</td>
|
||||
</tr>
|
||||
<tr class = "nav">
|
||||
<td></td>
|
||||
<td class = "nav next">
|
||||
<input type = "submit" name = "key" value =
|
||||
"<?php echo t('Login'); ?>" />
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</fieldset>
|
||||
</form>
|
||||
<?php
|
||||
require(JIRAFEAU_ROOT.'lib/template/footer.php');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
@ -1079,6 +1079,45 @@ function jirafeau_challenge_upload_ip($cfg, $ip)
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test if visitor's IP is authorized or password is supplied and authorized
|
||||
* @param $ip IP to be challenged
|
||||
* @param $password password to be challenged
|
||||
* @return true if access is valid, false otherwise.
|
||||
*/
|
||||
function jirafeau_challenge_upload ($cfg, $ip, $password)
|
||||
{
|
||||
// Allow if no ip restrictaion and no password restriction
|
||||
if ((count ($cfg['upload_ip']) == 0) and (count ($cfg['upload_password']) == 0)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Allow if ip is in array
|
||||
foreach ($cfg['upload_ip'] as $i) {
|
||||
if ($i == $ip) {
|
||||
return true;
|
||||
}
|
||||
// CIDR test for IPv4 only.
|
||||
if (strpos ($i, '/') !== false)
|
||||
{
|
||||
list ($subnet, $mask) = explode('/', $i);
|
||||
if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!jirafeau_has_upload_password($cfg)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
foreach ($cfg['upload_password'] as $p) {
|
||||
if ($password == $p) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/** Tell if we have some HTTP headers generated by a proxy */
|
||||
function has_http_forwarded()
|
||||
{
|
||||
|
||||
61
script.php
61
script.php
@ -70,16 +70,16 @@ if (has_error()) {
|
||||
/* Upload file */
|
||||
if (isset($_FILES['file']) && is_writable(VAR_FILES)
|
||||
&& is_writable(VAR_LINKS)) {
|
||||
if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
|
||||
echo 'Error 2';
|
||||
exit;
|
||||
}
|
||||
|
||||
if (jirafeau_has_upload_password($cfg) &&
|
||||
(!isset($_POST['upload_password']) ||
|
||||
!jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) {
|
||||
echo 'Error 3';
|
||||
exit;
|
||||
if (isset ($_POST['upload_password'])) {
|
||||
if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
|
||||
echo 'Error 3: Invalid password';
|
||||
exit;
|
||||
}
|
||||
} else {
|
||||
if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
|
||||
echo 'Error 2: No password nor allowed IP';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
$key = '';
|
||||
@ -365,17 +365,16 @@ fi
|
||||
}
|
||||
/* Create alias. */
|
||||
elseif (isset($_GET['alias_create'])) {
|
||||
$ip = get_ip_address($cfg);
|
||||
if (!jirafeau_challenge_upload_ip($cfg, $ip)) {
|
||||
echo 'Error 13';
|
||||
exit;
|
||||
}
|
||||
|
||||
if (jirafeau_has_upload_password($cfg) &&
|
||||
(!isset($_POST['upload_password']) ||
|
||||
!jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) {
|
||||
echo 'Error 14';
|
||||
exit;
|
||||
if (isset($_POST['upload_password'])){
|
||||
if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
|
||||
echo 'Error 14: Invalid password';
|
||||
exit;
|
||||
}
|
||||
} else {
|
||||
if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
|
||||
echo 'Error 13: No password nor allowed IP';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
if (!isset($_POST['alias']) ||
|
||||
@ -432,16 +431,16 @@ elseif (isset($_GET['alias_delete'])) {
|
||||
}
|
||||
/* Initialize an asynchronous upload. */
|
||||
elseif (isset($_GET['init_async'])) {
|
||||
if (!jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
|
||||
echo 'Error 19';
|
||||
exit;
|
||||
}
|
||||
|
||||
if (jirafeau_has_upload_password($cfg) &&
|
||||
(!isset($_POST['upload_password']) ||
|
||||
!jirafeau_challenge_upload_password($cfg, $_POST['upload_password']))) {
|
||||
echo 'Error 20';
|
||||
exit;
|
||||
if (isset($_POST['upload_password'])){
|
||||
if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), $_POST['upload_password'])) {
|
||||
echo 'Error 20: Invalid password';
|
||||
exit;
|
||||
}
|
||||
} else {
|
||||
if (!jirafeau_challenge_upload($cfg, get_ip_address($cfg), null)) {
|
||||
echo 'Error 19: No password nor allowed IP';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
if (!isset($_POST['filename'])) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user