From 185d3fd2ce1cb9fd417c7abe52cc7afa9dc32ad1 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Tue, 25 Apr 2006 11:25:07 +0000 Subject: [PATCH] added host restriction --- lam/help/help.inc | 2 ++ lam/lib/config.inc | 8 ++++- lam/lib/security.inc | 44 ++++++++++++------------ lam/templates/config/mainmanage.php | 53 ++++++++++++++++++++++++++--- 4 files changed, 80 insertions(+), 27 deletions(-) diff --git a/lam/help/help.inc b/lam/help/help.inc index 163e1ec2..5ebb3787 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -134,6 +134,8 @@ $helpArray = array ( "Text" => _("Please select your prefered log level. Messages with a lower level will not be logged.")), "240" => array ("ext" => "FALSE", "Headline" => _("Log destination"), "Text" => _("Here you can select where LAM should save its log messages. System logging will go to Syslog on Unix systems and event log on Windows. You can also select an extra file.")), + "241" => array ("ext" => "FALSE", "Headline" => _("Allowed hosts"), + "Text" => _("This is a list of IP addresses from hosts who may access LAM. You can use \"*\" as wildcard (e.g. 192.168.0.*).")), "250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"), "Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")), // 300 - 399 diff --git a/lam/lib/config.inc b/lam/lib/config.inc index 81e06f30..2b420127 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -728,8 +728,12 @@ class CfgMain { /** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */ var $logDestination; + /** list of hosts which may access LAM */ + var $allowedHosts; + /** list of data fields to save in config file */ - var $settings = array("password", "default", "sessionTimeout", "logLevel", "logDestination"); + var $settings = array("password", "default", "sessionTimeout", + "logLevel", "logDestination", "allowedHosts"); /** * Loads preferences from config file @@ -739,6 +743,7 @@ class CfgMain { $this->sessionTimeout = 30; $this->logLevel = LOG_NOTICE; $this->logDestination = "SYSLOG"; + $this->allowedHosts = ""; $this->reload(); } @@ -809,6 +814,7 @@ class CfgMain { if (!in_array("sessionTimeout", $saved)) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout); if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel); if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination); + if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts); $file = @fopen($conffile, "w"); if ($file) { for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]); diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 77fc99cc..397c3e5e 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -33,6 +33,9 @@ include_once('config.inc'); /** ldap connection */ include_once('ldap.inc'); +// check client IP address +checkClientIP(); + /** * Starts a session and checks the environment. * The script is stopped if one of the checks fail. @@ -72,27 +75,26 @@ function startSecureSession() { * */ function checkClientIP() { - -} - -/** - * Checks if the user is allowed to access LAM at this time. - * The script is stopped if time is exceeded. - * - * @param unknown_type $dn - */ -function checkUserTime($dn) { - -} - -/** - * Returns a list of DNs of valid LAM users. - * - * @param string $dn configuration DN - * @return array $dn user list - */ -function getValidUserDNs($dn) { - return array("uid=test,o=test", "uid=test2,o=test"); + $cfg = new CfgMain(); + $allowedHosts = $cfg->allowedHosts; + // skip test if no hosts are defined + if ($allowedHosts == "") return; + $allowedHosts = explode(",", $allowedHosts); + $grantAccess = false; + for ($i = 0; $i < sizeof($allowedHosts); $i++) { + $host = $allowedHosts[$i]; + $ipRegex = '^[0-9\\.\\*]+$'; + if (!ereg($ipRegex, $host)) continue; + $hostRegex = str_replace(".", "\\.", $host); + $hostRegex = '^' . str_replace("*", ".*", $hostRegex) . '$'; + $clientIP = $_SERVER['REMOTE_ADDR']; + if (ereg($hostRegex, $clientIP)) { + // client is allowed to access LAM + $grantAccess = true; + } + } + // stop script is client may not access LAM + if (!$grantAccess) die(); } /** diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php index 924fbf4d..01e00994 100644 --- a/lam/templates/config/mainmanage.php +++ b/lam/templates/config/mainmanage.php @@ -89,6 +89,27 @@ if ($_POST['submit']) { } // set session timeout $cfg->sessionTimeout = $_POST['sessionTimeout']; + // set allowed hosts + if (isset($_POST['allowedHosts'])) { + $allowedHosts = $_POST['allowedHosts']; + $allowedHostsList = explode("\n", $allowedHosts); + for ($i = 0; $i < sizeof($allowedHostsList); $i++) { + $allowedHostsList[$i] = trim($allowedHostsList[$i]); + // ignore empty lines + if ($allowedHostsList[$i] == "") { + unset($allowedHostsList[$i]); + continue; + } + // check each line + $ipRegex = '^[0-9\\.\\*]+$'; + if (!ereg($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) { + $errors[] = sprintf(_("The IP address %s is invalid!"), $allowedHostsList[$i]); + } + } + $allowedHosts = implode(",", $allowedHostsList); + } + else $allowedHosts = ""; + $cfg->allowedHosts = $allowedHosts; // set log level $cfg->logLevel = $_POST['logLevel']; // set log destination @@ -118,7 +139,7 @@ if ($_POST['submit']) {
- +
@@ -126,8 +147,10 @@ if ($_POST['submit']) { - + + + + + + +
+ +
+ + + +   + "; + echo "\"""; + echo "\n"; + ?> +

@@ -279,10 +319,13 @@ if ($_POST['submit']) {
+ + +
+ "> + + -
- - ">