From 0512ffb7f70f85223a71ffd539b74459793178af Mon Sep 17 00:00:00 2001 From: Guillaume Mazoyer Date: Wed, 3 Sep 2014 11:19:56 +0200 Subject: Add config to disallow the use of private and reserved IP ranges. --- includes/utils.php | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) (limited to 'includes/utils.php') diff --git a/includes/utils.php b/includes/utils.php index 1319690..01b034c 100644 --- a/includes/utils.php +++ b/includes/utils.php @@ -21,6 +21,40 @@ require_once 'config.php'; +/** + * Test if a given parameter is a private IPv4 or IPv6. + * + * @param string $ip the parameter to test. + * @return boolean true if the parameter is a private IP address, false + * otherwise. + */ +function match_private_ip_range($ip) { + if (empty($ip)) { + return false; + } + + $is_private = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE); + + return (!$is_private ? true : false); +} + +/** + * Test if a given parameter is a reserved IPv4. + * + * @param string $ip the parameter to test. + * @return boolean true if the parameter is a reserved IPv4 address, false + * otherwise. + */ +function match_reserved_ip_range($ip) { + if (empty($ip)) { + return false; + } + + $is_reserved = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE); + + return (!$is_reserved ? true : false); +} + /** * Test if a given parameter is an IPv4 or not. * @@ -33,12 +67,38 @@ require_once 'config.php'; * otherwise. */ function match_ipv4($ip, $ip_only = true) { + global $config; + + if (empty($ip)) { + return false; + } + if (strrpos($ip, '/') && !$ip_only) { $ip_and_mask = explode('/', $ip, 2); + if (!$config['misc']['allow_private_ip'] && + match_private_ip_range($ip_and_mask[0])) { + return false; + } + + if (!$config['misc']['allow_reserved_ip'] && + match_reserved_ip_range($ip_and_mask[0])) { + return false; + } + return filter_var($ip_and_mask[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) && filter_var($ip_and_mask[1], FILTER_VALIDATE_INT); } else { + if (!$config['misc']['allow_private_ip'] && + match_private_ip_range($ip)) { + return false; + } + + if (!$config['misc']['allow_reserved_ip'] && + match_reserved_ip_range($ip)) { + return false; + } + return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4); } } @@ -55,12 +115,28 @@ function match_ipv4($ip, $ip_only = true) { * otherwise. */ function match_ipv6($ip, $ip_only = true) { + global $config; + + if (empty($ip)) { + return false; + } + if (strrpos($ip, '/') && !$ip_only) { $ip_and_mask = explode('/', $ip, 2); + if (!$config['misc']['allow_private_ip'] && + match_private_ip_range($ip_and_mask[0])) { + return false; + } + return filter_var($ip_and_mask[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) && filter_var($ip_and_mask[1], FILTER_VALIDATE_INT); } else { + if (!$config['misc']['allow_private_ip'] && + match_private_ip_range($ip)) { + return false; + } + return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6); } } @@ -74,6 +150,10 @@ function match_ipv6($ip, $ip_only = true) { function match_fqdn($fqdn) { $regex = '/(?=^.{4,255}$)(^((?!-)[a-zA-Z0-9-]{1,63}(? array('min_range' => 4200000000, 'max_range' => 4294967294) ); + if (empty($as)) { + return false; + } + if (!filter_var($as, FILTER_VALIDATE_INT, $options_wide_range)) { return false; } @@ -119,6 +203,10 @@ function match_as($as) { } function match_aspath_regex($aspath_regex) { + if (empty($aspath_regex)) { + return false; + } + // TODO: validate a regex with a regex? return true; } -- cgit v1.2.3