From 55d0e0fce0d4f92b3873b716b24c862a797f10ee Mon Sep 17 00:00:00 2001 From: Thomas Nilsen Date: Tue, 16 Oct 2018 22:32:05 +0200 Subject: [PATCH] Added IP Whitelist Check contributed by https://github.com/spiridonovpolytechnic in bemosior/PHPasswordPusher#49, while implementing the changes suggested by besmosior in https://github.com/bemosior/PHPasswordPusher/pull/49#issuecomment-297452114 * Resolves bemosior/PHPasswordPusher#49 --- pwpusher_private/config.php | 6 ++++++ pwpusher_private/security.php | 30 +++++++++++++++++++++++++++++- pwpusher_public/pw.php | 15 ++++++++++++--- 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/pwpusher_private/config.php b/pwpusher_private/config.php index dddae9e..089f995 100644 --- a/pwpusher_private/config.php +++ b/pwpusher_private/config.php @@ -47,6 +47,12 @@ //Maximum life of a shared credential/password (in minutes). $credMaxLife = (60 * 24 * 90); //90 days + //IP Whitelist for creating credentials + //Whitelist is an array of CIDR notation IP addresses + $checkCreatorIpWhitelist = false; + $creatorIpWhitelist = array( + "10.0.0.0/24" + ); //Email: diff --git a/pwpusher_private/security.php b/pwpusher_private/security.php index d609443..4405ba6 100644 --- a/pwpusher_private/security.php +++ b/pwpusher_private/security.php @@ -120,4 +120,32 @@ function getSalt() { $salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22); return $salt; -} \ No newline at end of file +} + +/** + * Check if the client if an ip is in array of supplied CIDR notation IP ranges + * + * @return bool $validIp + */ +function ipInList($ipString, $cidrArray) +{ + $validIp = false; + $ipLong = ip2long($ipString); + foreach ($cidrArray as $cidr) + { + try + { + list ($ipWhite, $cidrNum) = explode('/', $cidr); + $ipWhiteLong = ip2long($ipWhite); + $netmask = -1 << (32 - (int)$cidrNum); + if (($ipLong & $netmask) == ($ipWhiteLong & $netmask)) + { + $validIp = true; + } + } + catch (Error $error) + { + } + } + return $validIp; +} diff --git a/pwpusher_public/pw.php b/pwpusher_public/pw.php index a176a44..5b2abe5 100644 --- a/pwpusher_public/pw.php +++ b/pwpusher_public/pw.php @@ -13,6 +13,15 @@ require '../pwpusher_private/interface.php'; require '../pwpusher_private/CAS/CAS.php'; +// check if we need to check for white listing +$creatorIpOk = !$checkCreatorIpWhitelist; +if ($checkCreatorIpWhitelist) +{ + $creatorIpOk = false; + $ipClientString = $_SERVER['REMOTE_ADDR']; + $creatorIpOk = ipInList($ipClientString, $creatorIpWhitelist); +} + //Print the header print getHeader(); @@ -37,7 +46,7 @@ } //If the form function argument doesn't exist, print the form for the user. -if ($arguments['func'] == 'none' || $arguments == false) { +if ($arguments['func'] == 'none' || $arguments == false && $creatorIpOk) { //Force CAS Authentication in order to load the form if ($requireCASAuth) { @@ -51,7 +60,7 @@ } //Fail Apache Authentication if configured but not successful - } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER'])) { + } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER']) || $checkCreatorIpWhitelist && !$creatorIpOk) { //This section is a courtesy check; PHP_AUTH_USER can possibly be spoofed //if web auth isn't configured. /** @noinspection PhpToStringImplementationInspection */ @@ -75,7 +84,7 @@ $_SERVER['PHP_AUTH_NAME'] = $attributes[$casSamlNameAttribute]; } - } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER'])) { + } elseif ($requireApacheAuth && empty($_SERVER['PHP_AUTH_USER']) || $checkCreatorIpWhitelist && !$creatorIpOk) { //This section is a courtesy check; PHP_AUTH_USER can possibly be spoofed //if web auth isn't configured. /** @noinspection PhpToStringImplementationInspection */