From d6ac29b69bf4c7a0815b6bc13f0e750802d5c3dd Mon Sep 17 00:00:00 2001
From: Florian Schaal <florian@schaal-24.de>
Date: Wed, 13 Dec 2017 15:15:45 +0100
Subject: [PATCH] Option to limit access for remote-user to specified IP(s) /
 hostname(s) (#4881)

---
 .../sql/incremental/upd_dev_collection.sql    |  2 +
 install/sql/ispconfig3.sql                    |  2 +
 interface/lib/classes/remoting.inc.php        | 35 +++++++++++
 .../lib/classes/validate_remote_user.inc.php  | 59 +++++++++++++++++++
 .../web/admin/form/remote_user.tform.php      | 21 +++++++
 .../web/admin/lib/lang/de_remote_user.lng     |  3 +
 .../web/admin/lib/lang/en_remote_user.lng     |  3 +
 .../web/admin/templates/remote_user_edit.htm  |  6 ++
 8 files changed, 131 insertions(+)
 create mode 100755 interface/lib/classes/validate_remote_user.inc.php

diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql
index 2458724d2e..f73a20b057 100644
--- a/install/sql/incremental/upd_dev_collection.sql
+++ b/install/sql/incremental/upd_dev_collection.sql
@@ -1 +1,3 @@
 ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
+ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
+ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;
diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql
index 11755a34b9..9aa91701bc 100644
--- a/install/sql/ispconfig3.sql
+++ b/install/sql/ispconfig3.sql
@@ -1246,6 +1246,8 @@ CREATE TABLE `remote_user` (
   `sys_perm_other` varchar(5) default NULL,
   `remote_username` varchar(64) NOT NULL DEFAULT '',
   `remote_password` varchar(64) NOT NULL DEFAULT '',
+  `remote_access` enum('y','n') NOT NULL DEFAULT 'y',
+  `remote_ips` TEXT,
   `remote_functions` text,
   PRIMARY KEY  (`remote_userid`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php
index 87072d32b6..a3bb192d91 100644
--- a/interface/lib/classes/remoting.inc.php
+++ b/interface/lib/classes/remoting.inc.php
@@ -144,6 +144,41 @@ class remoting {
 			$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
 			$remote_user = $app->db->queryOneRecord($sql, $username, $password);
 			if($remote_user['remote_userid'] > 0) {
+				$allowed_ips = explode(',',$remote_user['remote_ips']);
+				foreach($allowed_ips as $i => $allowed) { 
+					if(!filter_var($allowed, FILTER_VALIDATE_IP)) { 
+						// get the ip for a hostname
+						unset($allowed_ips[$i]);
+						$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
+						foreach($temp as $t) {
+							if(isset($t['ip'])) $allowed_ips[] = $t['ip'];
+							if(isset($t['ipv6'])) $allowed_ips[] = $t['ipv6'];
+						}
+						unset($temp);
+					}
+				}
+				$allowed_ips[] = '127.0.0.1';
+				$allowed_ips[] = '::1';
+				$allowed_ips=array_unique($allowed_ips);
+				$ip = $_SERVER['REMOTE_ADDR'];
+				$remote_allowed = @($ip == '::1' || $ip == '127.0.0.1')?true:false;
+				if(!$remote_allowed && $remote_user['remote_access'] == 'y') {
+					if(trim($remote_user['remote_ips']) == '') {
+						$remote_allowed=true;
+					} else {
+						$ip = inet_pton($_SERVER['REMOTE_ADDR']);
+						foreach($allowed_ips as $allowed) {
+							if($ip == inet_pton(trim($allowed))) {
+								$remote_allowed=true;
+								break;
+							}
+						}
+					}
+				}
+				if(!$remote_allowed) {
+					throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
+					return false;
+				}	
 				//* Create a remote user session
 				//srand ((double)microtime()*1000000);
 				$remote_session = md5(mt_rand().uniqid('ispco'));
diff --git a/interface/lib/classes/validate_remote_user.inc.php b/interface/lib/classes/validate_remote_user.inc.php
new file mode 100755
index 0000000000..1b941f04c5
--- /dev/null
+++ b/interface/lib/classes/validate_remote_user.inc.php
@@ -0,0 +1,59 @@
+<?php
+
+/*
+Copyright (c) 2017, Florian Schaal , schaal @it UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class validate_remote_user {
+
+	function valid_remote_ip($field_name, $field_value, $validator) {
+		global $app;
+
+		$values = explode(',', $field_value);
+		$regex = '/^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/';
+		foreach($values as $cur_value) {
+			$cur_value = trim($cur_value);
+			$valid = true;
+			if(function_exists('filter_var')) {
+				if(!filter_var($cur_value, FILTER_VALIDATE_IP)) {
+					$valid = false;
+					if(preg_match($regex, $cur_value)) $valid = true;
+				}
+			} else return "function filter_var missing <br />\r\n";
+
+			if($valid == false) {
+				$errmsg = $validator['errmsg'];
+				if(isset($app->tform->wordbook[$errmsg])) {
+					return $app->tform->wordbook[$errmsg]."<br>\r\n";
+				} else {
+					return $errmsg."<br>\r\n";
+				}
+			}
+		}
+	}
+
+}
diff --git a/interface/web/admin/form/remote_user.tform.php b/interface/web/admin/form/remote_user.tform.php
index 1ab2b0e0d5..895d9418a9 100644
--- a/interface/web/admin/form/remote_user.tform.php
+++ b/interface/web/admin/form/remote_user.tform.php
@@ -115,6 +115,27 @@ $form["tabs"]['remote_user'] = array (
 			'width'  => '30',
 			'maxlength' => '255'
 		),
+		'remote_access' => array (
+ 			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'n',
+			'value'  => array(0 => 'n', 1 => 'y')
+        ),
+		'remote_ips' => array (
+			'datatype'  => 'TEXT',
+			'formtype'  => 'TEXT',
+			'validators'  => array (  
+				0 => array (
+					'type' => 'CUSTOM', 
+					'class' => 'validate_remote_user', 
+					'function' => 'valid_remote_ip', 
+					'errmsg' => 'remote_user_error_ips'),
+			),
+			'default' => '',
+			'value'   => '',
+			'width'   => '60',
+			'searchable' => 2
+		),
 		'remote_functions' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'CHECKBOXARRAY',
diff --git a/interface/web/admin/lib/lang/de_remote_user.lng b/interface/web/admin/lib/lang/de_remote_user.lng
index 1458d22ee5..164a0fb81a 100644
--- a/interface/web/admin/lib/lang/de_remote_user.lng
+++ b/interface/web/admin/lib/lang/de_remote_user.lng
@@ -44,4 +44,7 @@ $wb['generate_password_txt'] = 'Passwort erzeugen';
 $wb['repeat_password_txt'] = 'Passwort wiederholen';
 $wb['password_mismatch_txt'] = 'Die Passwörter stimmen nicht überein.';
 $wb['password_match_txt'] = 'Die Passwörter stimmen überein.';
+$wb['remote_user_error_ips'] = 'Mindestens eine eingegebene IP-Adresse oder ein Hostname ist ungueltig.';
+$wb['remote_access_txt'] = 'Entfernter Zugriff';
+$wb['remote_ips_txt'] = 'Entfernter Zugriff IP / Hostname (Mehrere mit Komma trennen, keine Angabe für <i>alle</i>)';
 ?>
diff --git a/interface/web/admin/lib/lang/en_remote_user.lng b/interface/web/admin/lib/lang/en_remote_user.lng
index 4868e39bdb..2fc633b555 100644
--- a/interface/web/admin/lib/lang/en_remote_user.lng
+++ b/interface/web/admin/lib/lang/en_remote_user.lng
@@ -44,4 +44,7 @@ $wb['generate_password_txt'] = 'Generate Password';
 $wb['repeat_password_txt'] = 'Repeat Password';
 $wb['password_mismatch_txt'] = 'The passwords do not match.';
 $wb['password_match_txt'] = 'The passwords do match.';
+$wb['remote_access_txt'] = 'Remote Access';
+$wb['remote_ips_txt'] = 'Remote Access IPs / Hostnames (separate by , and leave blank for <i>any</i>)';
+$wb['remote_user_error_ips'] = 'At least one of the entered ip addresses or hostnames is invalid.';
 ?>
diff --git a/interface/web/admin/templates/remote_user_edit.htm b/interface/web/admin/templates/remote_user_edit.htm
index dcfea7929d..099af58eb5 100644
--- a/interface/web/admin/templates/remote_user_edit.htm
+++ b/interface/web/admin/templates/remote_user_edit.htm
@@ -36,6 +36,12 @@
 					<div id="confirmpasswordOK" style="display:none;" class="confirmpasswordok">{tmpl_var name='password_match_txt'}</div>
 				</div>
 			</div>
+            <div class="form-group">
+                <label class="col-sm-3 control-label">{tmpl_var name='remote_access_txt'}</label>
+                <div class="col-sm-9">{tmpl_var name='remote_access'}</div></div>
+            <div class="form-group">
+                <label for="remote_ips" class="col-sm-3 control-label">{tmpl_var name='remote_ips_txt'}</label>
+                <div class="col-sm-9"><input type="text" name="remote_ips" id="remote_ips" value="{tmpl_var name='remote_ips'}" class="form-control" /></div></div>
             <div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='function_txt'}</label>
                 <div class="col-sm-9">
-- 
GitLab