added client subnet filter

api/upload.php

@@ -21,6 +21,10 @@ if(!isFolderWritable(ROOT.DS.'data'))
 else if(!isFolderWritable(ROOT.DS.'tmp'))
     exit(json_encode(array('status'=>'err','reason'=>'Temp directory not writable')));
 
+// check if client has permission to upload
+if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
+    exit(json_encode(array('status'=>'err','reason'=> 'Access denied')));
+
 $hash = sanatizeString(trim($_REQUEST['hash']))?sanatizeString(trim($_REQUEST['hash'])):false;
 
 // check for POST upload

inc/core.php

@@ -24,6 +24,12 @@ function architect($url)
     //just show the site
     if( ( (!defined('UPLOAD_FORM_LOCATION') || (defined('UPLOAD_FORM_LOCATION') && !UPLOAD_FORM_LOCATION)) && count($u)==0) || (defined('UPLOAD_FORM_LOCATION') && UPLOAD_FORM_LOCATION && '/'.implode('/',$u)==UPLOAD_FORM_LOCATION) )
     {
+        // check if client address is allowed
+        if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET ))
+        {
+            header("HTTP/1.1 401 Unauthorized");
+            exit;
+        }
         renderTemplate('main');
         return;
     }
@@ -501,3 +507,24 @@ function deleteHash($hash)
         }
     }
 }
+
+/**
+ * Check if a given ip is in a network
+ * @param  string $ip    IP to check in IPV4 format eg. 127.0.0.1
+ * @param  string $range IP/CIDR netmask eg. 127.0.0.0/24, also 127.0.0.1 is accepted and /32 assumed
+ * @return boolean true if the ip is in this range / false if not.
+ * via https://gist.github.com/tott/7684443
+ */
+function isIPInRange( $ip, $range ) {
+    if ( strpos( $range, '/' ) == false )
+    {
+        $range .= '/32';
+    }
+    // $range is in IP/CIDR format eg 127.0.0.1/24
+    list( $range, $netmask ) = explode( '/', $range, 2 );
+    $range_decimal = ip2long( $range );
+    $ip_decimal = ip2long( $ip );
+    $wildcard_decimal = pow( 2, ( 32 - $netmask ) ) - 1;
+    $netmask_decimal = ~ $wildcard_decimal;
+    return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) );
+}

inc/example.config.inc.php

@@ -12,3 +12,4 @@ define('URL','https://dev.pictshare.net/');
 //define('JPEG_COMPRESSION', 90);
 //define('FFMPEG_BINARY','');
 //define('ALT_FOLDER','/ftp/pictshare');
+//define('ALLOWED_SUBNET','192.168.0.0/24');

rtfm/CONFIG.md

@@ -12,6 +12,7 @@
 | MASTER_DELETE_CODE      | string  | If set, this code will be accepted to delete any image by adding "delete_yourmasterdeletecode" to any image |
 | MASTER_DELETE_IP        | IP addr | If set, allows deletion of image no matter what delete code you provided if request is coming from this single IP |
 | UPLOAD_FORM_LOCATION    | string  | If set, will only show the upload form if this url is requested. eg if you set it to /secret/upload then you only see the form if you go to http://your.pictshare.server/secret/upload but bare in mind that the uploads [via API](/rtfm/API.md) will still work for anyone|
+| ALLOWED_SUBNET          | IP addr | If set, will only show the upload form and allow to upload via API if request is coming from this subnet |
 | UPLOAD_QUOTA (NOT IMPLEMENTED)            | int     | Size in MB. If set, will only allow uploads if combined size of uploads on Server is smaller than this value. Does not account for ALT_FOLDER data and resized versions of original uploads won't be added to calculation |
 | UPLOAD_CODE (NOT IMPLEMENTED             | string  | If set, all uploads require this code via GET or POST variable "uploadcode" or upload will fail |
 | MAX_RESIZED_IMAGES (NOT IMPLEMENTED      | string  | If set, limits count of resized images/videos per file on server |