From 8da3573ffbaaa02fc61118fdd5617022cb9e8f16 Mon Sep 17 00:00:00 2001 From: Anton Mitsengendler Date: Wed, 20 Feb 2019 17:12:06 +0300 Subject: [PATCH] added client subnet filter --- api/upload.php | 4 ++++ inc/core.php | 27 +++++++++++++++++++++++++++ inc/example.config.inc.php | 3 ++- rtfm/CONFIG.md | 1 + 4 files changed, 34 insertions(+), 1 deletion(-) diff --git a/api/upload.php b/api/upload.php index cf04ab6..6520ae9 100644 --- a/api/upload.php +++ b/api/upload.php @@ -21,6 +21,10 @@ if(!isFolderWritable(ROOT.DS.'data')) else if(!isFolderWritable(ROOT.DS.'tmp')) exit(json_encode(array('status'=>'err','reason'=>'Temp directory not writable'))); +// check if client has permission to upload +if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET )) + exit(json_encode(array('status'=>'err','reason'=> 'Access denied'))); + $hash = sanatizeString(trim($_REQUEST['hash']))?sanatizeString(trim($_REQUEST['hash'])):false; // check for POST upload diff --git a/inc/core.php b/inc/core.php index 5040323..b456fdd 100644 --- a/inc/core.php +++ b/inc/core.php @@ -24,6 +24,12 @@ function architect($url) //just show the site if( ( (!defined('UPLOAD_FORM_LOCATION') || (defined('UPLOAD_FORM_LOCATION') && !UPLOAD_FORM_LOCATION)) && count($u)==0) || (defined('UPLOAD_FORM_LOCATION') && UPLOAD_FORM_LOCATION && '/'.implode('/',$u)==UPLOAD_FORM_LOCATION) ) { + // check if client address is allowed + if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET )) + { + header("HTTP/1.1 401 Unauthorized"); + exit; + } renderTemplate('main'); return; } @@ -500,4 +506,25 @@ function deleteHash($hash) $c->deleteFile($hash); } } +} + +/** + * Check if a given ip is in a network + * @param string $ip IP to check in IPV4 format eg. 127.0.0.1 + * @param string $range IP/CIDR netmask eg. 127.0.0.0/24, also 127.0.0.1 is accepted and /32 assumed + * @return boolean true if the ip is in this range / false if not. + * via https://gist.github.com/tott/7684443 + */ +function isIPInRange( $ip, $range ) { + if ( strpos( $range, '/' ) == false ) + { + $range .= '/32'; + } + // $range is in IP/CIDR format eg 127.0.0.1/24 + list( $range, $netmask ) = explode( '/', $range, 2 ); + $range_decimal = ip2long( $range ); + $ip_decimal = ip2long( $ip ); + $wildcard_decimal = pow( 2, ( 32 - $netmask ) ) - 1; + $netmask_decimal = ~ $wildcard_decimal; + return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) ); } \ No newline at end of file diff --git a/inc/example.config.inc.php b/inc/example.config.inc.php index f6cabb4..6403b3c 100644 --- a/inc/example.config.inc.php +++ b/inc/example.config.inc.php @@ -11,4 +11,5 @@ define('URL','https://dev.pictshare.net/'); //define('JPEG_COMPRESSION', 90); //define('FFMPEG_BINARY',''); -//define('ALT_FOLDER','/ftp/pictshare'); \ No newline at end of file +//define('ALT_FOLDER','/ftp/pictshare'); +//define('ALLOWED_SUBNET','192.168.0.0/24'); \ No newline at end of file diff --git a/rtfm/CONFIG.md b/rtfm/CONFIG.md index ed9370a..0193f68 100644 --- a/rtfm/CONFIG.md +++ b/rtfm/CONFIG.md @@ -12,6 +12,7 @@ | MASTER_DELETE_CODE | string | If set, this code will be accepted to delete any image by adding "delete_yourmasterdeletecode" to any image | | MASTER_DELETE_IP | IP addr | If set, allows deletion of image no matter what delete code you provided if request is coming from this single IP | | UPLOAD_FORM_LOCATION | string | If set, will only show the upload form if this url is requested. eg if you set it to /secret/upload then you only see the form if you go to http://your.pictshare.server/secret/upload but bare in mind that the uploads [via API](/rtfm/API.md) will still work for anyone| +| ALLOWED_SUBNET | IP addr | If set, will only show the upload form and allow to upload via API if request is coming from this subnet | | UPLOAD_QUOTA (NOT IMPLEMENTED) | int | Size in MB. If set, will only allow uploads if combined size of uploads on Server is smaller than this value. Does not account for ALT_FOLDER data and resized versions of original uploads won't be added to calculation | | UPLOAD_CODE (NOT IMPLEMENTED | string | If set, all uploads require this code via GET or POST variable "uploadcode" or upload will fail | | MAX_RESIZED_IMAGES (NOT IMPLEMENTED | string | If set, limits count of resized images/videos per file on server | \ No newline at end of file