Fixed control for IP Ranges

2022-09-12 18:29:58 +02:00 · 2022-09-12 18:29:58 +02:00 · 51a2da89c9
parent 9cdb8788ff
commit 51a2da89c9
2 changed files with 59 additions and 1 deletions
--- a/pandora_console/include/functions_users.php
+++ b/pandora_console/include/functions_users.php
@ -877,3 +877,52 @@ function users_get_users_group_by_group($id_group)

    return $users;
 }
+
+
+/**
+ * Check if IP is in range. Check wildcard `*`, single IP and IP ranges.
+ *
+ * @param array  $arrayIP List of IPs.
+ * @param string $userIP  IP for determine if is in the list.
+ *
+ * @return boolean True if IP is in range.
+ */
+function checkIPInRange(
+    array $arrayIP,
+    string $userIP=''
+) {
+    $output = false;
+
+    if (empty($userIP) === true) {
+        $userIP = $_SERVER['REMOTE_ADDR'];
+    }
+
+    if (empty($arrayIP) === false) {
+        foreach ($arrayIP as $ip) {
+            if ($ip === '*') {
+                // The list has wildcard, this accept all IPs.
+                $output = true;
+                break;
+            } else if ($ip === $userIP) {
+                $output = true;
+                break;
+            } else if (preg_match('/([0-2]?[0-9]{1,2})[.]([0-2]?[0-9]{1,2})[.]([0-2]?[0-9]{0,2})[.](0){1}/', $ip) > 0) {
+                $rangeArrayIP = explode('.', $ip);
+                $userArrayIP = explode('.', $userIP);
+                foreach ($rangeArrayIP as $position => $segmentIP) {
+                    if ($segmentIP === $userArrayIP[$position]) {
+                        $output = true;
+                    } else if ((string) $segmentIP === '0') {
+                        break 2;
+                    } else {
+                        $output = false;
+                    }
+                }
+            } else {
+                $output = false;
+            }
+        }
+    }
+
+    return $output;
+}
--- a/pandora_console/index.php
+++ b/pandora_console/index.php
@ -303,7 +303,16 @@ if (isset($config['id_user']) === false) {
        $user_info = users_get_user_by_id($nick);
        if ((bool) $user_info['allowed_ip_active'] === true) {
            $userIP = $_SERVER['REMOTE_ADDR'];
-            if ((strpos($user_info['allowed_ip_list'], '*') !== false || strpos($user_info['allowed_ip_list'], $userIP) !== false) === false) {
+            $allowedIP = false;
+            $arrayIP = explode(',', $user_info['allowed_ip_list']);
+            // By default, if the IP definition is no correct, allows all.
+            if (empty($arrayIP) === true) {
+                $allowedIP = true;
+            } else {
+                $allowedIP = checkIPInRange($arrayIP, $userIP);
+            }
+
+            if ($allowedIP === false) {
                $config['auth_error'] = 'IP not allowed';
                $login_failed = true;
                include_once 'general/login_page.php';