diff --git a/bureau/admin/index.php b/bureau/admin/index.php index 8e4e22ce..43bf36eb 100644 --- a/bureau/admin/index.php +++ b/bureau/admin/index.php @@ -59,6 +59,7 @@ if (!isset($restrictip)) {

 

$error"; ?> ATTENTION : vous allez accéder à votre panel en mode *non sécurisé*
@@ -69,6 +70,7 @@ if (!$_SERVER[HTTPS]) {
diff --git a/bureau/admin/ip_main.php b/bureau/admin/ip_main.php index b63b110e..a70bae70 100644 --- a/bureau/admin/ip_main.php +++ b/bureau/admin/ip_main.php @@ -90,17 +90,25 @@ $lac = $authip->list_affected();

- + $v) { ?> + + + + $v) { ?> - + + - +

+";__("You are attemping to connect without IP restriction."); echo "

"; } ?>
@@ -77,6 +79,7 @@ if (!$_SERVER[HTTPS]) {
" />
+

diff --git a/bureau/class/config.php b/bureau/class/config.php index 1abf758d..981790e3 100644 --- a/bureau/class/config.php +++ b/bureau/class/config.php @@ -149,6 +149,7 @@ include_once("lang_env.php"); $mem=new m_mem(); $err=new m_err(); +$authip=new m_authip(); /* Check the User identity (if required) */ if (!defined('NOCHECK')) { @@ -160,7 +161,7 @@ if (!defined('NOCHECK')) { } for($i=0;$iquery("select ai.ip, ai.subnet, ai.infos, aia.parameters from authorised_ip ai, authorised_ip_affected aia where aia.protocol='$s' and aia.authorised_ip_id = ai.id and ai.uid='$cuid';") ) { + echo "query failed: ".$db->Error; + return false; + } + $r=Array(); + while ($db->next_record()) { + $r[]=Array("ip"=>$db->f("ip"), "subnet"=>$db->f("subnet"), "infos"=>$db->f("infos"), "parameters"=>$db->f("parameters")); + } + return $r; + } + + function is_wl($ip) { + global $db; + if (! $db->query("select ai.ip, ai.subnet from authorised_ip ai where ai.uid='0';") ) { + echo "query failed: ".$db->Error; + return false; + } + while ($db->next_record()) { + if ( $this->is_in_subnet($ip, $db->f('ip'), $db->f('subnet') ) ) return true; + } + return false; + } + + /* + * Retourne si l'ip appartient au subnet. + * + */ + function is_in_subnet($o, $ip, $sub) { + $o = inet_pton($o); + $ip = inet_pton($ip); + $sub = pow(2, $sub); + + if ( $o >= $ip && $o <= ($ip+$sub) ) return true; + return false; + } + /* * Sauvegarde une IP dans les IP TOUJOURS authorisée * diff --git a/bureau/class/m_mem.php b/bureau/class/m_mem.php index 946dda73..4427905b 100644 --- a/bureau/class/m_mem.php +++ b/bureau/class/m_mem.php @@ -75,8 +75,8 @@ class m_mem { * @param $password string User Password. * @return boolean TRUE if the user has been successfully connected, or FALSE if an error occured. */ - function login($username,$password,$restrictip=0) { - global $db,$err,$cuid; + function login($username,$password,$restrictip=0,$authip_token=false) { + global $db,$err,$cuid, $authip; $err->log("mem","login",$username); // $username=addslashes($username); // $password=addslashes($password); @@ -97,6 +97,23 @@ class m_mem { } $this->user=$db->Record; $cuid=$db->f("uid"); + + // AuthIP + $allowed_ip=false; + if ( $authip_token ) $allowed_ip = $this->authip_tokencheck($authip_token); + + $aga = $authip->get_allowed('panel'); + foreach ($aga as $k=>$v ) { + if ( $authip->is_in_subnet(getenv("REMOTE_ADDR"), $v['ip'], $v['subnet']) ) $allowed=true ; + } + + // Error if there is rules, the IP is not allowed and it's not in the whitelisted IP + if ( sizeof($aga)>1 && !$allowed_ip && !$authip->is_wl(getenv("REMOTE_ADDR")) ) { + $err->raise("mem",42); // FIXME have a real error code -- Votre ip est pas authorisée + return false; + } + // End AuthIP + if ($restrictip) { $ip="'".getenv("REMOTE_ADDR")."'"; } else $ip="''"; @@ -160,6 +177,30 @@ class m_mem { $db->query("UPDATE membres SET lastlogin=NOW(), lastfail=0, lastip='$ip' WHERE uid='$cuid';"); } + function authip_token($bis=false) { + global $db,$cuid; + $db->query("select pass from membres where uid='$cuid';"); + $db->next_record(); + $i=intval(time()/3600); + if ($bis) ++$i; + return md5("$i--".$db->f('pass')); + } + + function authip_tokencheck($t) { + if ($t==$this->authip_token() || $t==$this->authip_token(true) ) return true; + return false; + } + + function authip_class() { + global $cuid; + $c = Array(); + $c['name']="Panel access"; + $c['protocol']="panel"; + $c['values']=Array($cuid=>''); + + return $c; + } + /* ----------------------------------------------------------------- */ /** Vérifie que la session courante est correcte (cookie ok et ip valide). * Si besoin, et si réception des champs username & password, crée une nouvelle @@ -171,7 +212,7 @@ class m_mem { * @return TRUE si la session est correcte, FALSE sinon. */ function checkid() { - global $db,$err,$cuid,$restrictip; + global $db,$err,$cuid,$restrictip,$authip; if ($_REQUEST["username"] && $_REQUEST["password"]) { return $this->login($_REQUEST["username"],$_REQUEST["password"],$_REQUEST["restrictip"]); } @@ -189,8 +230,8 @@ class m_mem { $db->next_record(); if ($db->f("ip")) { if ($db->f("me")!=$db->f("ip")) { - $err->raise("mem",5); - return false; + $err->raise("mem",5); + return false; } } $cuid=$db->f("uid"); @@ -215,7 +256,7 @@ class m_mem { function su($uid) { global $cuid,$db,$err; if (!$this->olduid) - $this->olduid=$cuid; + $this->olduid=$cuid; $db->query("select * from membres where uid='$uid';"); if ($db->num_rows()==0) { $err->raise("mem",1);