1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
|
<?php
/**
* These functions are shared by the Protect module and its related json-endpoints
*/
/**
* Returns an array of IP objects that will never be blocked by the Protect module
*
* The array is segmented into a local whitelist which applies only to the current site
* and a global whitelist which, for multisite installs, applies to the entire networko
*
* @return array
*/
function jetpack_protect_format_whitelist() {
$local_whitelist = jetpack_protect_get_local_whitelist();
$formatted = array(
'local' => array(),
);
foreach ( $local_whitelist as $item ) {
if ( $item->range ) {
$formatted['local'][] = $item->range_low . ' - ' . $item->range_high;
} else {
$formatted['local'][] = $item->ip_address;
}
}
if ( is_multisite() && current_user_can( 'manage_network' ) ) {
$formatted['global'] = array();
$global_whitelist = jetpack_protect_get_global_whitelist();
if ( false === $global_whitelist ) {
// If the global whitelist has never been set, check for a legacy option set prior to 3.6.
$global_whitelist = get_site_option( 'jetpack_protect_whitelist', array() );
}
foreach ( $global_whitelist as $item ) {
if ( $item->range ) {
$formatted['global'][] = $item->range_low . ' - ' . $item->range_high;
} else {
$formatted['global'][] = $item->ip_address;
}
}
}
return $formatted;
}
/**
* Gets the local Protect whitelist
*
* The 'local' part of the whitelist only really applies to multisite installs,
* which can have a network wide whitelist, as well as a local list that applies
* only to the current site. On single site installs, there will only be a local
* whitelist.
*
* @return array A list of IP Address objects or an empty array
*/
function jetpack_protect_get_local_whitelist() {
$whitelist = Jetpack_Options::get_option( 'protect_whitelist' );
if ( false === $whitelist ) {
// The local whitelist has never been set.
if ( is_multisite() ) {
// On a multisite, we can check for a legacy site_option that existed prior to v 3.6, or default to an empty array.
$whitelist = get_site_option( 'jetpack_protect_whitelist', array() );
} else {
// On a single site, we can just use an empty array.
$whitelist = array();
}
}
return $whitelist;
}
/**
* Get the global, network-wide whitelist
*
* It will revert to the legacy site_option if jetpack_protect_global_whitelist has never been set.
*
* @return array
*/
function jetpack_protect_get_global_whitelist() {
$whitelist = get_site_option( 'jetpack_protect_global_whitelist' );
if ( false === $whitelist ) {
// The global whitelist has never been set. Check for legacy site_option, or default to an empty array.
$whitelist = get_site_option( 'jetpack_protect_whitelist', array() );
}
return $whitelist;
}
/**
* Jetpack Protect Save Whitelist.
*
* @access public
* @param mixed $whitelist Whitelist.
* @param bool $global (default: false) Global.
* @return Bool.
*/
function jetpack_protect_save_whitelist( $whitelist, $global = false ) {
$whitelist_error = false;
$new_items = array();
if ( ! is_array( $whitelist ) ) {
return new WP_Error( 'invalid_parameters', __( 'Expecting an array', 'jetpack' ) );
}
if ( $global && ! is_multisite() ) {
return new WP_Error( 'invalid_parameters', __( 'Cannot use global flag on non-multisites', 'jetpack' ) );
}
if ( $global && ! current_user_can( 'manage_network' ) ) {
return new WP_Error( 'permission_denied', __( 'Only super admins can edit the global whitelist', 'jetpack' ) );
}
// Validate each item.
foreach ( $whitelist as $item ) {
$item = trim( $item );
if ( empty( $item ) ) {
continue;
}
$range = false;
if ( strpos( $item, '-' ) ) {
$item = explode( '-', $item );
$range = true;
}
$new_item = new stdClass();
$new_item->range = $range;
if ( ! empty( $range ) ) {
$low = trim( $item[0] );
$high = trim( $item[1] );
if ( ! filter_var( $low, FILTER_VALIDATE_IP ) || ! filter_var( $high, FILTER_VALIDATE_IP ) ) {
$whitelist_error = true;
break;
}
if ( ! jetpack_convert_ip_address( $low ) || ! jetpack_convert_ip_address( $high ) ) {
$whitelist_error = true;
break;
}
$new_item->range_low = $low;
$new_item->range_high = $high;
} else {
if ( ! filter_var( $item, FILTER_VALIDATE_IP ) ) {
$whitelist_error = true;
break;
}
if ( ! jetpack_convert_ip_address( $item ) ) {
$whitelist_error = true;
break;
}
$new_item->ip_address = $item;
}
$new_items[] = $new_item;
} // End item loop.
if ( ! empty( $whitelist_error ) ) {
return new WP_Error( 'invalid_ip', __( 'One of your IP addresses was not valid.', 'jetpack' ) );
}
if ( $global ) {
update_site_option( 'jetpack_protect_global_whitelist', $new_items );
// Once a user has saved their global whitelist, we can permanently remove the legacy option.
delete_site_option( 'jetpack_protect_whitelist' );
} else {
Jetpack_Options::update_option( 'protect_whitelist', $new_items );
}
return true;
}
/**
* Jetpack Protect Get IP.
*
* @access public
* @return IP.
*/
function jetpack_protect_get_ip() {
$trusted_header_data = get_site_option( 'trusted_ip_header' );
if ( isset( $trusted_header_data->trusted_header ) && isset( $_SERVER[ $trusted_header_data->trusted_header ] ) ) {
$ip = $_SERVER[ $trusted_header_data->trusted_header ];
$segments = $trusted_header_data->segments;
$reverse_order = $trusted_header_data->reverse;
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
if ( ! $ip ) {
return false;
}
$ips = explode( ',', $ip );
if ( ! isset( $segments ) || ! $segments ) {
$segments = 1;
}
if ( isset( $reverse_order ) && $reverse_order ) {
$ips = array_reverse( $ips );
}
$ip_count = count( $ips );
if ( 1 === $ip_count ) {
return jetpack_clean_ip( $ips[0] );
} elseif ( $ip_count >= $segments ) {
$the_one = $ip_count - $segments;
return jetpack_clean_ip( $ips[ $the_one ] );
} else {
return jetpack_clean_ip( $_SERVER['REMOTE_ADDR'] );
}
}
/**
* Jetpack Clean IP.
*
* @access public
* @param mixed $ip IP.
* @return $ip IP.
*/
function jetpack_clean_ip( $ip ) {
// Some misconfigured servers give back extra info, which comes after "unless"
$ips = explode( ' unless ', $ip );
$ip = $ips[0];
$ip = trim( $ip );
// Check for IPv4 IP cast as IPv6.
if ( preg_match( '/^::ffff:(\d+\.\d+\.\d+\.\d+)$/', $ip, $matches ) ) {
$ip = $matches[1];
}
if ( function_exists( 'parse_url' ) ) {
$parsed_url = parse_url( $ip );
if ( isset( $parsed_url['host'] ) ) {
$ip = $parsed_url['host'];
} elseif ( isset( $parsed_url['path'] ) ) {
$ip = $parsed_url['path'];
}
} else {
$colon_count = substr_count( $ip, ':' );
if ( 1 == $colon_count ) {
$ips = explode( ':', $ip );
$ip = $ips[0];
}
}
return $ip;
}
/**
* Checks an IP to see if it is within a private range.
*
* @param int $ip IP.
* @return bool
*/
function jetpack_protect_ip_is_private( $ip ) {
// We are dealing with ipv6, so we can simply rely on filter_var.
if ( false === strpos( $ip, '.' ) ) {
return ! filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE );
}
// We are dealing with ipv4.
$private_ip4_addresses = array(
'10.0.0.0|10.255.255.255', // Single class A network.
'172.16.0.0|172.31.255.255', // 16 contiguous class B network.
'192.168.0.0|192.168.255.255', // 256 contiguous class C network.
'169.254.0.0|169.254.255.255', // Link-local address also referred to as Automatic Private IP Addressing.
'127.0.0.0|127.255.255.255', // localhost.
);
$long_ip = ip2long( $ip );
if ( -1 !== $long_ip ) {
foreach ( $private_ip4_addresses as $pri_addr ) {
list ( $start, $end ) = explode( '|', $pri_addr );
if ( $long_ip >= ip2long( $start ) && $long_ip <= ip2long( $end ) ) {
return true;
}
}
}
return false;
}
/**
* Uses inet_pton if available to convert an IP address to a binary string.
* If inet_pton is not available, ip2long will convert the address to an integer.
* Returns false if an invalid IP address is given.
*
* NOTE: ip2long will return false for any ipv6 address. servers that do not support
* inet_pton will not support ipv6
*
* @access public
* @param mixed $ip IP.
* @return int|string|bool
*/
function jetpack_convert_ip_address( $ip ) {
if ( function_exists( 'inet_pton' ) ) {
return inet_pton( $ip );
}
return ip2long( $ip );
}
/**
* Checks that a given IP address is within a given low - high range.
* Servers that support inet_pton will use that function to convert the ip to number,
* while other servers will use ip2long.
*
* NOTE: servers that do not support inet_pton cannot support ipv6.
*
* @access public
* @param mixed $ip IP.
* @param mixed $range_low Range Low.
* @param mixed $range_high Range High.
* @return Bool.
*/
function jetpack_protect_ip_address_is_in_range( $ip, $range_low, $range_high ) {
// The inet_pton will give us binary string of an ipv4 or ipv6.
// We can then use strcmp to see if the address is in range.
if ( function_exists( 'inet_pton' ) ) {
$ip_num = inet_pton( $ip );
$ip_low = inet_pton( $range_low );
$ip_high = inet_pton( $range_high );
if ( $ip_num && $ip_low && $ip_high && strcmp( $ip_num, $ip_low ) >= 0 && strcmp( $ip_num, $ip_high ) <= 0 ) {
return true;
}
// The ip2long will give us an integer of an ipv4 address only. it will produce FALSE for ipv6.
} else {
$ip_num = ip2long( $ip );
$ip_low = ip2long( $range_low );
$ip_high = ip2long( $range_high );
if ( $ip_num && $ip_low && $ip_high && $ip_num >= $ip_low && $ip_num <= $ip_high ) {
return true;
}
}
return false;
}
|
GitWeb