From cede9bbe43f39d44317b7cd9ba742a71d45e67f9 Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 30 Jan 2020 14:53:09 +1100 Subject: [PATCH] Bug 24537: Allow IP ranges in ILS-DI:AuthorizedIPs using Net::Netmask This patch uses Net::Netmask to match IPs from ILS-DI:AuthorizedIPs against $ENV{REMOTE_USER}. By using Net::Netmask, we can use addresses in a variety of formats. This includes 127.0.0.1, 192.168.1.0/24, 10.0.0, and so on. To Test: 1. Apply the patch 2. Empty the 'ILS-DI:AuthorizedIPs' system preference 3. Send a request to '/cgi-bin/koha/ilsdi.pl?service=LookupPatron&id=1&id_type=cardnumber' 3b. Note that the request is successful 4. Set the 'ILS-DI:AuthorizedIPs' system preference to a subnet including your IP address (e.g. 192.168.1.0/24) 5. Send a request to '/cgi-bin/koha/ilsdi.pl?service=LookupPatron&id=1&id_type=cardnumber' 5b. Note that the request is successful 6. Set the 'ILS-DI:AuthorizedIPs' system preference to a subnet that doesn't include your IP address (e.g. 1.1.1) 7. Send a request to '/cgi-bin/koha/ilsdi.pl?service=LookupPatron&id=1&id_type=cardnumber' 7b. Note that your request is refused 8. Try a variety of permutations including bad values (e.g. 192.168.1.) or multiple values (e.g. 10.0.0.0/8,192.168.1.0/24) or multiple values including a mix of good and bad values Signed-off-by: David Nind Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize --- opac/ilsdi.pl | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/opac/ilsdi.pl b/opac/ilsdi.pl index 274808cf97..c9c01a9ce0 100755 --- a/opac/ilsdi.pl +++ b/opac/ilsdi.pl @@ -27,6 +27,7 @@ use C4::Context; use List::MoreUtils qw(any); use XML::Simple; use CGI qw ( -utf8 ); +use Net::Netmask; =head1 DLF ILS-DI for Koha @@ -164,11 +165,19 @@ unless ( C4::Context->preference('ILS-DI') ) { # If the remote address is not allowed, redirect to 403 my @AuthorizedIPs = split(/,/, C4::Context->preference('ILS-DI:AuthorizedIPs')); -if ( @AuthorizedIPs # If no filter set, allow access to everybody - and not any { $ENV{'REMOTE_ADDR'} eq $_ } @AuthorizedIPs # IP Check - ) { - $out->{'code'} = "NotAllowed"; - $out->{'message'} = "Unauthorized IP address: ".$ENV{'REMOTE_ADDR'}."."; +if ( @AuthorizedIPs ){ # If no filter set, allow access to everybody + my $authorized = 0; + foreach my $ip (@AuthorizedIPs){ + my $netmask = Net::Netmask->new2($ip); + if ( $netmask && $netmask->match($ENV{'REMOTE_ADDR'}) ){ + $authorized = 1; + last; + } + } + unless ($authorized){ + $out->{'code'} = "NotAllowed"; + $out->{'message'} = "Unauthorized IP address: ".$ENV{'REMOTE_ADDR'}."."; + } } my $service = $cgi->param('service') || "ilsdi"; -- 2.39.5