[geeklog-cvs] geeklog: Added missing check for allowed IP addresses in downloa...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Fri Oct 3 08:42:10 EDT 2008 

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/2499b63f85dd
changeset: 6410:2499b63f85dd
user:      Dirk Haun <dirk at haun-online.de>
date:      Fri Oct 03 14:41:57 2008 +0200
description:
Added missing check for allowed IP addresses in downloader class (bug #0000709)

diffstat:

2 files changed, 13 insertions(+), 1 deletion(-)
public_html/docs/history            |    2 ++
system/classes/downloader.class.php |   12 +++++++++++-

diffs (41 lines):

diff -r aeced27e1da9 -r 2499b63f85dd public_html/docs/history
--- a/public_html/docs/history	Fri Oct 03 11:34:33 2008 +0200
+++ b/public_html/docs/history	Fri Oct 03 14:41:57 2008 +0200
@@ -3,6 +3,8 @@
 ??? ??, 2008 (1.5.2)
 ------------
 
+- Added missing check for allowed IP addresses in downloader class
+  (bug #0000709) [Dirk]
 - Force a refresh after uninstalling a plugin so that the plugin's entry
   disappears from the Admins block [Dirk]
 - Fixed an issue with story expiry dates on PHP 4/Windows (reported by zeb)
diff -r aeced27e1da9 -r 2499b63f85dd system/classes/downloader.class.php
--- a/system/classes/downloader.class.php	Fri Oct 03 11:34:33 2008 +0200
+++ b/system/classes/downloader.class.php	Fri Oct 03 14:41:57 2008 +0200
@@ -171,7 +171,7 @@
     function _logItem($logtype, $text)
     {
         $timestamp = strftime("%c");
-        if (!$file = fopen($this->_logFile,a)) {
+        if (!$file = fopen($this->_logFile, 'a')) {
             // couldn't open log file for writing so let's disable logging and add an error
             $this->setLogging(false);
             $this->_addError('Error writing to log file: ' . $this->_logFile . '.  Logging has been disabled');
@@ -481,6 +481,16 @@
     */
     function downloadFile($fileName)
     {
+        // Before we do anything, let's see if we are limiting file downloads by
+        // IP address and, if so, verify the user is originating from one of
+        // those places
+        if ($this->_limitByIP) {
+            if (!in_array($_SERVER['REMOTE_ADDR'], $this->_allowedIPS)) {
+                $this->_addError('The IP, ' . $_SERVER['REMOTE_ADDR'] . ' is not in the list of accepted IP addresses.  Refusing to allow file download(s)');
+                return false;
+            }
+        }
+
         if (strstr( PHP_OS, "WIN")) {  // Added as test1 below was failing on Windows platforms 
             $strPathSeparator = '\\';
             $this->_sourceDirectory = str_replace('/','\\',$this->_sourceDirectory);

More information about the geeklog-cvs mailing list