From d6ab5df482ebe96c849a1c0103d8c6e880699f38 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Mon, 17 Sep 2018 12:02:28 +0200
Subject: [PATCH] auth_proxy: proxy MUST be whitelisted

---
 plugins/auth_proxy/init.php | 38 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/plugins/auth_proxy/init.php b/plugins/auth_proxy/init.php
index 67aaec64..6a3e576b 100644
--- a/plugins/auth_proxy/init.php
+++ b/plugins/auth_proxy/init.php
@@ -20,11 +20,47 @@ class Auth_Proxy extends Plugin implements IAuthModule {
 		$host->add_hook($host::HOOK_AUTH_USER, $this);
 	}
 
+	/*
+	 * is_whitelisted check if an IP is whitelisted by defined values in config.php
+	 * it will check by-IP and by-NAME
+	 * currently, only exact IP is supported (no cidr, no wildcard); this is a TODO
+	 * check by 
+	 */
+	private function is_whitelisted($client_ip) {
+		if(!defined('AUTHPROXY_WHITELIST_IP') && !defined('AUTHPROXY_WHITELIST_NAME')) {
+			// TODO: send a warning: this is a misconfiguration!
+			return false;
+		}
+		if(defined('AUTHPROXY_WHITELIST_IP')) {
+			$whitelist = explode(' ', AUTHPROXY_WHITELIST_IP);
+			foreach($whitelist as $w_ip) {
+				if($client_ip === $w_ip) {
+					return true;
+				}
+			}
+		}
+		if(defined('AUTHPROXY_WHITELIST_NAME')) {
+			$whitelist = explode(' ', AUTHPROXY_WHITELIST_NAME);
+			foreach($whitelist as $w_name) {
+				foreach(gethostbynamel($w_name) as $w_ip) {
+					if($client_ip === $w_ip) {
+						return true;
+					}
+				}
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * @SuppressWarnings(PHPMD.UnusedFormalParameter)
 	 */
 	function authenticate($login, $password) {
-		// TODO: check source ip!
+		$client_ip = $_SERVER['REMOTE_ADDR'];
+		if($this->is_whitelisted($client_ip) === false) {
+			return false;
+		}
+
 		if(!array_key_exists("HTTP_X_FORWARDED_USER", $_SERVER)) {
 			return false;
 		}