PageRenderTime 53ms CodeModel.GetById 22ms RepoModel.GetById 0ms app.codeStats 0ms

/wp-content/plugins/wordfence/waf/wfWAFUserIPRange.php

https://gitlab.com/edgarze188/sunrise
PHP | 239 lines | 165 code | 23 blank | 51 comment | 57 complexity | ef6639964533ca1aa8b172eacf317f3c MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  *
    5. 

  5.  */
    6. 

  6. class wfWAFUserIPRange {
    7. 

  7. 

  8. 	/**
    9. 

  9. 	 * @var string|null
    10. 

  10. 	 */
    11. 

  11. 	private $ip_string;
    12. 

  12. 

  13. 	/**
    14. 

  14. 	 * @param string|null $ip_string
    15. 

  15. 	 */
    16. 

  16. 	public function __construct($ip_string = null) {
    17. 

  17. 		$this->setIPString($ip_string);
    18. 

  18. 	}
    19. 

  19. 

  20. 	/**
    21. 

  21. 	 * Check if the supplied IP address is within the user supplied range.
    22. 

  22. 	 *
    23. 

  23. 	 * @param string $ip
    24. 

  24. 	 * @return bool
    25. 

  25. 	 */
    26. 

  26. 	public function isIPInRange($ip) {
    27. 

  27. 		$ip_string = $this->getIPString();
    28. 

  28. 

  29. 		// IPv4 range
    30. 

  30. 		if (strpos($ip_string, '.') !== false && strpos($ip, '.') !== false) {
    31. 

  31. 			// IPv4-mapped-IPv6
    32. 

  32. 			if (preg_match('/:ffff:([^:]+)$/i', $ip_string, $matches)) {
    33. 

  33. 				$ip_string = $matches[1];
    34. 

  34. 			}
    35. 

  35. 			if (preg_match('/:ffff:([^:]+)$/i', $ip, $matches)) {
    36. 

  36. 				$ip = $matches[1];
    37. 

  37. 			}
    38. 

  38. 			
    39. 

  39. 			// Range check
    40. 

  40. 			if (preg_match('/\[\d+\-\d+\]/', $ip_string)) {
    41. 

  41. 				$IPparts = explode('.', $ip);
    42. 

  42. 				$whiteParts = explode('.', $ip_string);
    43. 

  43. 				$mismatch = false;
    44. 

  44. 				for ($i = 0; $i <= 3; $i++) {
    45. 

  45. 					if (preg_match('/^\[(\d+)\-(\d+)\]$/', $whiteParts[$i], $m)) {
    46. 

  46. 						if ($IPparts[$i] < $m[1] || $IPparts[$i] > $m[2]) {
    47. 

  47. 							$mismatch = true;
    48. 

  48. 						}
    49. 

  49. 					} else if ($whiteParts[$i] != $IPparts[$i]) {
    50. 

  50. 						$mismatch = true;
    51. 

  51. 					}
    52. 

  52. 				}
    53. 

  53. 				if ($mismatch === false) {
    54. 

  54. 					return true; // Is whitelisted because we did not get a mismatch
    55. 

  55. 				}
    56. 

  56. 			} else if ($ip_string == $ip) {
    57. 

  57. 				return true;
    58. 

  58. 			}
    59. 

  59. 

  60. 			// IPv6 range
    61. 

  61. 		} else if (strpos($ip_string, ':') !== false && strpos($ip, ':') !== false) {
    62. 

  62. 			$ip = strtolower(wfWAFUtils::expandIPv6Address($ip));
    63. 

  63. 			$ip_string = strtolower(self::expandIPv6Range($ip_string));
    64. 

  64. 			if (preg_match('/\[[a-f0-9]+\-[a-f0-9]+\]/i', $ip_string)) {
    65. 

  65. 				$IPparts = explode(':', $ip);
    66. 

  66. 				$whiteParts = explode(':', $ip_string);
    67. 

  67. 				$mismatch = false;
    68. 

  68. 				for ($i = 0; $i <= 7; $i++) {
    69. 

  69. 					if (preg_match('/^\[([a-f0-9]+)\-([a-f0-9]+)\]$/i', $whiteParts[$i], $m)) {
    70. 

  70. 						$ip_group = hexdec($IPparts[$i]);
    71. 

  71. 						$range_group_from = hexdec($m[1]);
    72. 

  72. 						$range_group_to = hexdec($m[2]);
    73. 

  73. 						if ($ip_group < $range_group_from || $ip_group > $range_group_to) {
    74. 

  74. 							$mismatch = true;
    75. 

  75. 							break;
    76. 

  76. 						}
    77. 

  77. 					} else if ($whiteParts[$i] != $IPparts[$i]) {
    78. 

  78. 						$mismatch = true;
    79. 

  79. 						break;
    80. 

  80. 					}
    81. 

  81. 				}
    82. 

  82. 				if ($mismatch === false) {
    83. 

  83. 					return true; // Is whitelisted because we did not get a mismatch
    84. 

  84. 				}
    85. 

  85. 			} else if ($ip_string == $ip) {
    86. 

  86. 				return true;
    87. 

  87. 			}
    88. 

  88. 		}
    89. 

  89. 

  90. 		return false;
    91. 

  91. 	}
    92. 

  92. 

  93. 	/**
    94. 

  94. 	 * Return a set of where clauses to use in MySQL.
    95. 

  95. 	 *
    96. 

  96. 	 * @param string $column
    97. 

  97. 	 * @return false|null|string
    98. 

  98. 	 */
    99. 

  99. 	public function toSQL($column = 'ip') {
    100. 

  100. 		/** @var wpdb $wpdb */
    101. 

  101. 		global $wpdb;
    102. 

  102. 		$ip_string = $this->getIPString();
    103. 

  103. 

  104. 		if (strpos($ip_string, '.') !== false && preg_match('/\[\d+\-\d+\]/', $ip_string)) {
    105. 

  105. 			$whiteParts = explode('.', $ip_string);
    106. 

  106. 			$sql = "(SUBSTR($column, 1, 12) = LPAD(CHAR(0xff, 0xff), 12, CHAR(0)) AND ";
    107. 

  107. 

  108. 			for ($i = 0, $j = 24; $i <= 3; $i++, $j -= 8) {
    109. 

  109. 				// MySQL can only perform bitwise operations on integers
    110. 

  110. 				$conv = sprintf('CAST(CONV(HEX(SUBSTR(%s, 13, 8)), 16, 10) as UNSIGNED INTEGER)', $column);
    111. 

  111. 				if (preg_match('/^\[(\d+)\-(\d+)\]$/', $whiteParts[$i], $m)) {
    112. 

  112. 					$sql .= $wpdb->prepare("$conv >> $j & 0xFF BETWEEN %d AND %d", $m[1], $m[2]);
    113. 

  113. 				} else {
    114. 

  114. 					$sql .= $wpdb->prepare("$conv >> $j & 0xFF = %d", $whiteParts[$i]);
    115. 

  115. 				}
    116. 

  116. 				$sql .= ' AND ';
    117. 

  117. 			}
    118. 

  118. 			$sql = substr($sql, 0, -5) . ')';
    119. 

  119. 			return $sql;
    120. 

  120. 			
    121. 

  121. 		} else if (strpos($ip_string, ':') !== false) {
    122. 

  122. 			$ip_string = strtolower(self::expandIPv6Range($ip_string));
    123. 

  123. 			if (preg_match('/\[[a-f0-9]+\-[a-f0-9]+\]/i', $ip_string)) {
    124. 

  124. 				$whiteParts = explode(':', $ip_string);
    125. 

  125. 				$sql = '(';
    126. 

  126. 				
    127. 

  127. 				for ($i = 0; $i <= 7; $i++) {
    128. 

  128. 					// MySQL can only perform bitwise operations on integers
    129. 

  129. 					$conv = sprintf('CAST(CONV(HEX(SUBSTR(%s, %d, 8)), 16, 10) as UNSIGNED INTEGER)', $column, $i < 4 ? 1 : 9);
    130. 

  130. 					$j = 16 * (3 - ($i % 4));
    131. 

  131. 					if (preg_match('/^\[([a-f0-9]+)\-([a-f0-9]+)\]$/i', $whiteParts[$i], $m)) {
    132. 

  132. 						$sql .= $wpdb->prepare("$conv >> $j & 0xFFFF BETWEEN 0x%x AND 0x%x", hexdec($m[1]), hexdec($m[2]));
    133. 

  133. 					} else {
    134. 

  134. 						$sql .= $wpdb->prepare("$conv >> $j & 0xFFFF = 0x%x", hexdec($whiteParts[$i]));
    135. 

  135. 					}
    136. 

  136. 					$sql .= ' AND ';
    137. 

  137. 				}
    138. 

  138. 				$sql = substr($sql, 0, -5) . ')';
    139. 

  139. 				return $sql;
    140. 

  140. 			}
    141. 

  141. 		}
    142. 

  142. 		
    143. 

  143. 		return $wpdb->prepare("($column = %s)", wfWAFUtils::inet_pton($ip_string));
    144. 

  144. 	}
    145. 

  145. 

  146. 	/**
    147. 

  147. 	 * Expand a compressed printable range representation of an IPv6 address.
    148. 

  148. 	 *
    149. 

  149. 	 * @todo Hook up exceptions for better error handling.
    150. 

  150. 	 * @todo Allow IPv4 mapped IPv6 addresses (::ffff:192.168.1.1).
    151. 

  151. 	 * @param string $ip_range
    152. 

  152. 	 * @return string
    153. 

  153. 	 */
    154. 

  154. 	public static function expandIPv6Range($ip_range) {
    155. 

  155. 		$colon_count = substr_count($ip_range, ':');
    156. 

  156. 		$dbl_colon_count = substr_count($ip_range, '::');
    157. 

  157. 		if ($dbl_colon_count > 1) {
    158. 

  158. 			return false;
    159. 

  159. 		}
    160. 

  160. 		$dbl_colon_pos = strpos($ip_range, '::');
    161. 

  161. 		if ($dbl_colon_pos !== false) {
    162. 

  162. 			$ip_range = str_replace('::', str_repeat(':0000',
    163. 

  163. 					(($dbl_colon_pos === 0 || $dbl_colon_pos === strlen($ip_range) - 2) ? 9 : 8) - $colon_count) . ':', $ip_range);
    164. 

  164. 			$ip_range = trim($ip_range, ':');
    165. 

  165. 		}
    166. 

  166. 		$colon_count = substr_count($ip_range, ':');
    167. 

  167. 		if ($colon_count != 7) {
    168. 

  168. 			return false;
    169. 

  169. 		}
    170. 

  170. 

  171. 		$groups = explode(':', $ip_range);
    172. 

  172. 		$expanded = '';
    173. 

  173. 		foreach ($groups as $group) {
    174. 

  174. 			if (preg_match('/\[([a-f0-9]{1,4})\-([a-f0-9]{1,4})\]/i', $group, $matches)) {
    175. 

  175. 				$expanded .= sprintf('[%s-%s]', str_pad(strtolower($matches[1]), 4, '0', STR_PAD_LEFT), str_pad(strtolower($matches[2]), 4, '0', STR_PAD_LEFT)) . ':';
    176. 

  176. 			} else if (preg_match('/[a-f0-9]{1,4}/i', $group)) {
    177. 

  177. 				$expanded .= str_pad(strtolower($group), 4, '0', STR_PAD_LEFT) . ':';
    178. 

  178. 			} else {
    179. 

  179. 				return false;
    180. 

  180. 			}
    181. 

  181. 		}
    182. 

  182. 		return trim($expanded, ':');
    183. 

  183. 	}
    184. 

  184. 

  185. 	/**
    186. 

  186. 	 * @return bool
    187. 

  187. 	 */
    188. 

  188. 	public function isValidRange() {
    189. 

  189. 		return $this->isValidIPv4Range() || $this->isValidIPv6Range();
    190. 

  190. 	}
    191. 

  191. 

  192. 	/**
    193. 

  193. 	 * @return bool
    194. 

  194. 	 */
    195. 

  195. 	public function isValidIPv4Range() {
    196. 

  196. 		$ip_string = $this->getIPString();
    197. 

  197. 		if (preg_match_all('/(\d+)/', $ip_string, $matches) > 0) {
    198. 

  198. 			foreach ($matches[1] as $match) {
    199. 

  199. 				$group = (int) $match;
    200. 

  200. 				if ($group > 255 || $group < 0) {
    201. 

  201. 					return false;
    202. 

  202. 				}
    203. 

  203. 			}
    204. 

  204. 		}
    205. 

  205. 

  206. 		$group_regex = '([0-9]{1,3}|\[[0-9]{1,3}\-[0-9]{1,3}\])';
    207. 

  207. 		return preg_match('/^' . str_repeat("$group_regex.", 3) . $group_regex . '$/i', $ip_string) > 0;
    208. 

  208. 	}
    209. 

  209. 

  210. 	/**
    211. 

  211. 	 * @return bool
    212. 

  212. 	 */
    213. 

  213. 	public function isValidIPv6Range() {
    214. 

  214. 		$ip_string = $this->getIPString();
    215. 

  215. 		if (strpos($ip_string, '::') !== false) {
    216. 

  216. 			$ip_string = self::expandIPv6Range($ip_string);
    217. 

  217. 		}
    218. 

  218. 		if (!$ip_string) {
    219. 

  219. 			return false;
    220. 

  220. 		}
    221. 

  221. 		$group_regex = '([a-f0-9]{1,4}|\[[a-f0-9]{1,4}\-[a-f0-9]{1,4}\])';
    222. 

  222. 		return preg_match('/^' . str_repeat("$group_regex:", 7) . $group_regex . '$/i', $ip_string) > 0;
    223. 

  223. 	}
    224. 

  224. 

  225. 

  226. 	/**
    227. 

  227. 	 * @return string|null
    228. 

  228. 	 */
    229. 

  229. 	public function getIPString() {
    230. 

  230. 		return $this->ip_string;
    231. 

  231. 	}
    232. 

  232. 

  233. 	/**
    234. 

  234. 	 * @param string|null $ip_string
    235. 

  235. 	 */
    236. 

  236. 	public function setIPString($ip_string) {
    237. 

  237. 		$this->ip_string = strtolower(preg_replace('/[\x{2013}-\x{2015}]/u', '-', $ip_string)); //Replace em-dash, en-dash, and horizontal bar with a regular dash
    238. 

  238. 	}
    239. 

  239. }
    240. 

  240.