From 498804f8a529e4d35450754094d101d929393094 Mon Sep 17 00:00:00 2001
From: "Kevin @ Navigram" <37534869+Kevin-at-Navigram@users.noreply.github.com>
Date: Sun, 19 May 2019 07:40:20 +0200
Subject: [PATCH] Basic IP white- and blacklisting (#178)

---
 .editorconfig       | 13 +++++++++++
 tinyfilemanager.php | 55 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..b585a76
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,13 @@
+# Editor configuration, see https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false
diff --git a/tinyfilemanager.php b/tinyfilemanager.php
index 42067a6..d2481f0 100644
--- a/tinyfilemanager.php
+++ b/tinyfilemanager.php
@@ -15,6 +15,7 @@ define('VERSION', '2.3.5');
 define('APP_TITLE', 'Tiny File Manager');
 
 // Auth with login/password (set true/false to enable/disable it)
+// Is independent from IP white- and blacklisting
 $use_auth = true;
 
 // Users: array('Username' => 'Password', 'Username2' => 'Password2', ...)
@@ -29,6 +30,27 @@ $readonly_users = array(
     'user'
 );
 
+// Possible rules are 'OFF', 'AND' or 'OR'
+// OFF => Don't check connection IP, defaults to OFF
+// AND => Connection must be on the whitelist, and not on the blacklist
+// OR => Connection must be on the whitelist, or not on the blacklist
+$ip_ruleset = 'OFF';
+
+// Should users be notified of their block?
+$ip_silent = true;
+
+// IP-addresses, both ipv4 and ipv6
+$ip_whitelist = array(
+    '127.0.0.1',    // local ipv4
+    '::1'           // local ipv6
+);
+
+// IP-addresses, both ipv4 and ipv6
+$ip_blacklist = array(
+    '0.0.0.0',      // non-routable meta ipv4
+    '::'            // non-routable meta ipv6
+);
+
 // user specific directories
 // array('Username' => 'Directory path', 'Username2' => 'Directory path', ...)
 $directories_users = array();
@@ -167,6 +189,39 @@ if (isset($_GET['img'])) {
     fm_show_image($_GET['img']);
 }
 
+// Validate connection IP
+if($ip_ruleset != 'OFF'){
+    $clientIp = $_SERVER['REMOTE_ADDR'];
+
+    $proceed = false;
+
+    $whitelisted = in_array($clientIp, $ip_whitelist);
+    $blacklisted = in_array($clientIp, $ip_blacklist);
+
+    if($ip_ruleset == 'AND'){
+        if($whitelisted == true && $blacklisted == false){
+            $proceed = true;
+        }
+    } else
+    if($ip_ruleset == 'OR'){
+         if($whitelisted == true || $blacklisted == false){
+            $proceed = true;
+        }
+    }
+
+    if($proceed == false){
+        trigger_error('User connection denied from: ' . $clientIp, E_USER_WARNING);
+
+        if($ip_silent == false){
+            fm_set_msg('Access denied. IP restriction applicable', 'error');
+            fm_show_header_login();
+            fm_show_message();
+        }
+
+        exit();
+    }
+}
+
 // Auth
 if ($use_auth) {
     if (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']])) {