Add CIDR range checking for admin IP (#130)

* Add CIDR range checking for admin IP * Be more strict in checking admin IP
2025-09-21 02:19:47 +00:00 · 2017-06-18 03:26:27 -04:00 · 2017-06-18 03:26:27 -04:00 · 215fec2dc8
commit 215fec2dc8
parent 69a4859c56
4 changed files with 30 additions and 7 deletions
--- a/web/yaamp/core/functions/admin.php
+++ b/web/yaamp/core/functions/admin.php
@ -55,3 +55,29 @@ function getAdminWalletLinks($coin, $info=NULL, $src='wallet')
 }

 /////////////////////////////////////////////////////////////////////////////////////////////
+
+// Check if $IP is in $CIDR range
+// Credit:  claudiu at cnixs dot com
+function ipCIDRCheck ($IP, $CIDR) {
+	list ($net, $mask) = split ("/", $CIDR);
+
+	$ip_net = ip2long ($net);
+	$ip_mask = ~((1 << (32 - $mask)) - 1);
+
+	$ip_ip = ip2long ($IP);
+
+	$ip_ip_net = $ip_ip & $ip_mask;
+
+	return ($ip_ip_net === $ip_net);
+}
+
+function isAdminIP ($ip) {
+	foreach(explode(",", YAAMP_ADMIN_IP) as $range) {
+		if(strpos($range, '/')) {
+			if(ipCIDRCheck($ip, $range) === true) return true;
+		} else {
+			if ($range === $ip) return true;
+		}
+	}
+	return false;
+}
--- a/web/yaamp/modules/common/CommonController.php
+++ b/web/yaamp/modules/common/CommonController.php
@ -25,7 +25,7 @@ class CommonController extends CController
 		if(user()->getState('yaamp_admin')) {
 			$this->admin = true;
 			$client_ip = arraySafeVal($_SERVER,'REMOTE_ADDR');
-			if (!in_array($client_ip, explode(',',YAAMP_ADMIN_IP), true)) {
+			if (!isAdminIP($client_ip)) {
 				user()->setState('yaamp_admin', false);
 				debuglog("admin attempt from $client_ip");
 				$this->admin = false;
--- a/web/yaamp/modules/site/SiteController.php
+++ b/web/yaamp/modules/site/SiteController.php
@ -10,11 +10,8 @@ class SiteController extends CommonController
 	{
 		$client_ip = $_SERVER['REMOTE_ADDR'];

-		$valid = false;
-		if (strpos(YAAMP_ADMIN_IP, ','))
-			$valid = in_array($client_ip, explode(',',YAAMP_ADMIN_IP), true);
-		else
-			$valid = ($client_ip === YAAMP_ADMIN_IP);
+		$valid = false; // Just in case?
+		$valid = isAdminIP($client_ip);

 		if ($valid)
 			debuglog("admin connect from $client_ip");
--- a/web/yaamp/ui/main.php
+++ b/web/yaamp/ui/main.php
@ -105,7 +105,7 @@ function showPageHeader()

 	if(controller()->admin)
 	{
-		if (strpos(YAAMP_ADMIN_IP, $_SERVER['REMOTE_ADDR']) === false)
+		if (isAdminIP($_SERVER['REMOTE_ADDR']) === false)
 			debuglog("admin {$_SERVER['REMOTE_ADDR']}");

 		showItemHeader(controller()->id=='coin', '/coin', 'Coins');