Files
SIGE-WEB-snapshot/ambiente-de-test/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-utility-htaccess.php

619 lines
23 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
if (!defined('ABSPATH')) {
exit;//Exit if accessed directly
}
class AIOWPSecurity_Utility_Htaccess {
// The following variables will store the comment markers for each of features added to the .htacces file
// This will make it easy to locate the blocks of code for deletion if someone disables a feature
public static $ip_blacklist_marker_start = '#AIOWPS_IP_BLACKLIST_START';
public static $ip_blacklist_marker_end = '#AIOWPS_IP_BLACKLIST_END';
public static $prevent_wp_file_access_marker_start = '#AIOWPS_BLOCK_WP_FILE_ACCESS_START';
public static $prevent_wp_file_access_marker_end = '#AIOWPS_BLOCK_WP_FILE_ACCESS_END';
public static $basic_htaccess_rules_marker_start = '#AIOWPS_BASIC_HTACCESS_RULES_START';
public static $basic_htaccess_rules_marker_end = '#AIOWPS_BASIC_HTACCESS_RULES_END';
public static $debug_log_block_htaccess_rules_marker_start = '#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START';
public static $debug_log_block_htaccess_rules_marker_end = '#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END';
public static $user_agent_blacklist_marker_start = '#AIOWPS_USER_AGENT_BLACKLIST_START';
public static $user_agent_blacklist_marker_end = '#AIOWPS_USER_AGENT_BLACKLIST_END';
public static $enable_brute_force_attack_prevention_marker_start = '#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START';
public static $enable_brute_force_attack_prevention_marker_end = '#AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_END';
public static $disable_index_views_marker_start = '#AIOWPS_DISABLE_INDEX_VIEWS_START';
public static $disable_index_views_marker_end = '#AIOWPS_DISABLE_INDEX_VIEWS_END';
public static $disable_trace_track_marker_start = '#AIOWPS_DISABLE_TRACE_TRACK_START';
public static $disable_trace_track_marker_end = '#AIOWPS_DISABLE_TRACE_TRACK_END';
public static $five_g_blacklist_marker_start = '#AIOWPS_FIVE_G_BLACKLIST_START';
public static $five_g_blacklist_marker_end = '#AIOWPS_FIVE_G_BLACKLIST_END';
public static $six_g_blacklist_marker_start = '#AIOWPS_SIX_G_BLACKLIST_START';
public static $six_g_blacklist_marker_end = '#AIOWPS_SIX_G_BLACKLIST_END';
public static $block_spambots_marker_start = '#AIOWPS_BLOCK_SPAMBOTS_START';
public static $block_spambots_marker_end = '#AIOWPS_BLOCK_SPAMBOTS_END';
public static $enable_login_whitelist_marker_start = '#AIOWPS_LOGIN_WHITELIST_START';
public static $enable_login_whitelist_marker_end = '#AIOWPS_LOGIN_WHITELIST_END';
public static $prevent_image_hotlinks_marker_start = '#AIOWPS_PREVENT_IMAGE_HOTLINKS_START';
public static $prevent_image_hotlinks_marker_end = '#AIOWPS_PREVENT_IMAGE_HOTLINKS_END';
public static $custom_rules_marker_start = '#AIOWPS_CUSTOM_RULES_START';
public static $custom_rules_marker_end = '#AIOWPS_CUSTOM_RULES_END';
/**
* TODO - enter more markers as new .htaccess features are added
*/
public function __construct() {
//NOP
}
/**
* Write all active rules to .htaccess file.
*
* @return boolean True on success, false on failure.
*/
public static function write_to_htaccess() {
global $aio_wp_security;
//figure out what server is being used
if (-1 == AIOWPSecurity_Utility::get_server_type() && !defined('WP_CLI')) {
$aio_wp_security->debug_logger->log_debug("Unable to write to .htaccess - server type not supported.", 4);
return false; //unable to write to the file
}
//clean up old rules first
if (-1 == AIOWPSecurity_Utility_Htaccess::delete_from_htaccess()) {
$aio_wp_security->debug_logger->log_debug("Delete operation of .htaccess file failed.", 4);
return false; //unable to write to the file
}
$home_path = AIOWPSecurity_Utility_File::get_home_path();
$htaccess = $home_path . '.htaccess';
$f = @fopen($htaccess, 'a+'); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
if (!$f) {
@chmod($htaccess, 0644); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
$f = @fopen($htaccess, 'a+'); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
if (!$f) {
$aio_wp_security->debug_logger->log_debug("chmod operation on .htaccess failed.", 4);
return false;
}
}
AIOWPSecurity_Utility_File::backup_and_rename_htaccess($htaccess); // TODO - we dont want to continually be backing up the htaccess file
$ht = explode(PHP_EOL, implode('', file($htaccess))); // parse each line of file into array
$rules = AIOWPSecurity_Utility_Htaccess::getrules();
$rulesarray = explode(PHP_EOL, $rules);
$rulesarray = apply_filters('aiowps_htaccess_rules_before_writing', $rulesarray);
$contents = array_merge($rulesarray, $ht);
$f = @fopen($htaccess, 'w+'); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
if (!$f) {
$aio_wp_security->debug_logger->log_debug("Write operation on .htaccess failed.", 4);
return false; //we can't write to the file
}
$blank = false;
//write each line to file
foreach ($contents as $insertline) {
if (trim($insertline) == '') {
if (false == $blank) {
fwrite($f, PHP_EOL . trim($insertline));
}
$blank = true;
} else {
$blank = false;
fwrite($f, PHP_EOL . trim($insertline));
}
}
if (is_resource($f)) @fclose($f);
return true; //success
}
/**
* This function will delete the code which has been added to the .htaccess file by this plugin
* It will try to find the comment markers "# BEGIN All In One WP Security" and "# END All In One WP Security" and delete contents in between
*
* @param string $section
* @return Integer{-1,1} -1 for failure, 1 for success.
*/
public static function delete_from_htaccess($section = 'All In One WP Security') {
$home_path = AIOWPSecurity_Utility_File::get_home_path();
$htaccess = $home_path . '.htaccess';
if (!file_exists($htaccess)) {
$ht = @fopen($htaccess, 'a+');// phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
if (false === $ht) {
global $aio_wp_security;
$aio_wp_security->debug_logger->log_debug('Failed to create .htaccess file', 4);
return -1;
}
if (is_resource($ht)) @fclose($ht);
}
// Bug Fix: On some environments such as windows (xampp) this function was clobbering the non-aiowps-related .htaccess contents for certain cases.
// In some cases when WordPress saves the .htaccess file (eg, when saving permalink settings),
// the line endings differ from the expected PHP_EOL endings. (WordPress saves with "\n" (UNIX style) but PHP_EOL may be set as "\r\n" (WIN/DOS))
// In this case exploding via PHP_EOL may not yield the result we expect.
// Therefore we need to do the following extra checks.
$ht_contents_imploded = implode('', file($htaccess));
if (empty($ht_contents_imploded)) {
return 1;
} elseif (strstr($ht_contents_imploded, PHP_EOL)) {
$ht_contents = explode(PHP_EOL, $ht_contents_imploded); //parse each line of file into array
} elseif (strstr($ht_contents_imploded, "\n")) {
$ht_contents = explode("\n", $ht_contents_imploded); //parse each line of file into array
} elseif (strstr($ht_contents_imploded, "\r")) {
$ht_contents = explode("\r", $ht_contents_imploded); //parse each line of file into array
} elseif (strstr($ht_contents_imploded, "\r\n")) {
$ht_contents = explode("\r\n", $ht_contents_imploded); //parse each line of file into array
}
if ($ht_contents) { //as long as there are lines in the file
$state = true;
$f = @fopen($htaccess, 'w+'); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
if (!$f) {
@chmod($htaccess, 0644);// phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
$f = @fopen($htaccess, 'w+'); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged -- ignore warning as we try to handle it below
if (!$f) return -1;
}
foreach ($ht_contents as $markerline) { //for each line in the file
if (strpos($markerline, '# BEGIN ' . $section) !== false) { //if we're at the beginning of the section
$state = false;
}
if (true == $state) { //as long as we're not in the section keep writing
fwrite($f, trim($markerline) . PHP_EOL);
}
if (strpos($markerline, '# END ' . $section) !== false) { //see if we're at the end of the section
$state = true;
}
}
if (is_resource($f)) @fclose($f);
return 1;
}
return 1;
}
public static function getrules() {
global $aio_wp_security;
$rules = "";
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_wp_file_access();
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_basic_htaccess();
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_block_debug_log_access_htaccess();
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_index_views();
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_disable_trace_and_track();
$rules .= AIOWPSecurity_Utility_Htaccess::getrules_5g_blacklist();
$rules .= AIOWPSecurity_Utility_Htaccess::prevent_image_hotlinks();
$custom_rules = AIOWPSecurity_Utility_Htaccess::getrules_custom_rules();
if ($aio_wp_security->configs->get_value('aiowps_place_custom_rules_at_top')=='1') {
$rules = $custom_rules . $rules;
} else {
$rules .= $custom_rules;
}
//TODO: The following utility functions are ready to use when we write the menu pages for these features
//Add more functions for features as needed
//$rules .= AIOWPSecurity_Utility_Htaccess::getrules_somefeature();
//Add outer markers if we have rules
if ('' != $rules) {
$rules = "# BEGIN All In One WP Security" . PHP_EOL . $rules . "# END All In One WP Security" . PHP_EOL;
}
return $rules;
}
/**
* This function will write rules to prevent people from accessing the following files:
* readme.html, license.txt and wp-config-sample.php.
*/
public static function getrules_block_wp_file_access() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_prevent_default_wp_file_access') == '1') {
$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_start . PHP_EOL; //Add feature marker start
$rules .= self::create_apache2_access_denied_rule('license.txt');
$rules .= self::create_apache2_access_denied_rule('wp-config-sample.php');
$rules .= self::create_apache2_access_denied_rule('readme.html');
$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_wp_file_access_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* TODO - info
*/
public static function getrules_basic_htaccess() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_enable_basic_firewall') == '1') {
$rules .= AIOWPSecurity_Utility_Htaccess::$basic_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
//protect the htaccess file - this is done by default with apache config file but we are including it here for good measure
$rules .= self::create_apache2_access_denied_rule('.htaccess');
//disable the server signature
$rules .= 'ServerSignature Off' . PHP_EOL;
//limit file upload size
$upload_limit = $aio_wp_security->configs->get_value('aiowps_max_file_upload_size');
//Shouldn't be empty but just in case
$upload_limit = empty($upload_limit) ? AIOS_FIREWALL_MAX_FILE_UPLOAD_LIMIT_MB : $upload_limit;
$upload_limit = $upload_limit * 1024 * 1024; // Convert from MB to Bytes - approx but close enough
$rules .= 'LimitRequestBody '.$upload_limit . PHP_EOL;
// protect wpconfig.php.
$rules .= self::create_apache2_access_denied_rule('wp-config.php');
$rules .= AIOWPSecurity_Utility_Htaccess::$basic_htaccess_rules_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
public static function getrules_block_debug_log_access_htaccess() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_block_debug_log_file_access') == '1') {
$rules .= AIOWPSecurity_Utility_Htaccess::$debug_log_block_htaccess_rules_marker_start . PHP_EOL; //Add feature marker start
$rules .= self::create_apache2_access_denied_rule('debug.log');
$rules .= AIOWPSecurity_Utility_Htaccess::$debug_log_block_htaccess_rules_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* This function will disable directory listings for all directories, add this line to the
* sites root .htaccess file.
* NOTE: AllowOverride must be enabled in the httpd.conf file for this to work!
*/
public static function getrules_disable_index_views() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_disable_index_views') == '1') {
$rules .= AIOWPSecurity_Utility_Htaccess::$disable_index_views_marker_start . PHP_EOL; //Add feature marker start
$rules .= 'Options -Indexes' . PHP_EOL;
$rules .= AIOWPSecurity_Utility_Htaccess::$disable_index_views_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* This function will write rules to disable trace and track.
* HTTP Trace attack (XST) can be used to return header requests
* and grab cookies and other information and is used along with
* a cross site scripting attacks (XSS)
*/
public static function getrules_disable_trace_and_track() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_disable_trace_and_track') == '1') {
$rules .= AIOWPSecurity_Utility_Htaccess::$disable_trace_track_marker_start . PHP_EOL; //Add feature marker start
$rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
$rules .= 'RewriteEngine On' . PHP_EOL;
$rules .= 'RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)' . PHP_EOL;
$rules .= 'RewriteRule .* - [F]' . PHP_EOL;
$rules .= '</IfModule>' . PHP_EOL;
$rules .= AIOWPSecurity_Utility_Htaccess::$disable_trace_track_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* This function contains the rules for the 5G blacklist produced by Jeff Starr from perishablepress.com
* NOTE: Since Jeff regularly updates and evolves his blacklist rules, ie, 5G->6G->7G.... we will update this function to reflect the latest blacklist release
*/
public static function getrules_5g_blacklist() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_enable_5g_firewall') == '1') {
$rules .= AIOWPSecurity_Utility_Htaccess::$five_g_blacklist_marker_start . PHP_EOL; //Add feature marker start
$rules .= '# 5G BLACKLIST/FIREWALL (2013)
# @ http://perishablepress.com/5g-blacklist-2013/
# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\\|\.\./|`|=\'$|=%27$) [NC,OR]
RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
RewriteRule .* - [F]
</IfModule>
# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>
# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
RedirectMatch 403 (\=\\\\\\\'|\=\\\%27|/\\\\\\\'/?|\)\.css\()$
RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\\\"\\\\\")
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
</IfModule>
# 5G:[REQUEST METHOD]
<ifModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>' . PHP_EOL;
$rules .= AIOWPSecurity_Utility_Htaccess::$five_g_blacklist_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* This function will write some directives to prevent image hotlinking
*/
public static function prevent_image_hotlinks() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_prevent_hotlinking') == '1') {
$url_string = AIOWPSecurity_Utility_Htaccess::return_regularized_url(AIOWPSEC_WP_HOME_URL);
if (false == $url_string) {
$url_string = AIOWPSEC_WP_HOME_URL;
}
$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_start . PHP_EOL; //Add feature marker start
$rules .= '<IfModule mod_rewrite.c>' . PHP_EOL;
$rules .= 'RewriteEngine On' . PHP_EOL;
$rules .= 'RewriteCond %{HTTP_REFERER} !^$' . PHP_EOL;
$rules .= 'RewriteCond %{REQUEST_FILENAME} -f' . PHP_EOL;
$rules .= 'RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]' . PHP_EOL;
$rules .= 'RewriteCond %{HTTP_REFERER} !^' . $url_string . ' [NC]' . PHP_EOL;
$rules .= 'RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]' . PHP_EOL;
$rules .= '</IfModule>' . PHP_EOL;
$rules .= AIOWPSecurity_Utility_Htaccess::$prevent_image_hotlinks_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* This function will write any custom htaccess rules into the server's .htaccess file
*
* @return string
*/
public static function getrules_custom_rules() {
global $aio_wp_security;
$rules = '';
if ($aio_wp_security->configs->get_value('aiowps_enable_custom_rules') == '1') {
$custom_rules = $aio_wp_security->configs->get_value('aiowps_custom_rules');
$rules .= AIOWPSecurity_Utility_Htaccess::$custom_rules_marker_start . PHP_EOL; //Add feature marker start
$rules .= $custom_rules . PHP_EOL;
$rules .= AIOWPSecurity_Utility_Htaccess::$custom_rules_marker_end . PHP_EOL; //Add feature marker end
}
return $rules;
}
/**
* This function will do a quick check to see if a file's contents are actually .htaccess specific.
* At the moment it will look for the following tag somewhere in the file - "# BEGIN WordPress"
* If it finds the tag it will deem the file as being .htaccess specific.
* This was written to supplement the .htaccess restore functionality
*
* @param string $file_contents - the contents of the .htaccess file
*
* @return boolean
*/
public static function check_if_htaccess_contents($file_contents) {
$is_htaccess = false;
if (false === $file_contents || strlen($file_contents) == 0) {
return -1;
}
if ((strpos($file_contents, '# BEGIN WordPress') !== false) || (strpos($file_contents, '# BEGIN') !== false)) {
$is_htaccess = true; // It appears that we have some sort of .htaccess file
} else {
//see if we're at the end of the section
$is_htaccess = false;
}
if ($is_htaccess) {
return 1;
} else {
return -1;
}
}
/**
* This function will take a URL string and convert it to a form useful for using in htaccess rules.
* Example: If URL passed to function = "http://www.mysite.com"
* Result = "http(s)?://(.*)?mysite\.com"
*
* @param string $url
* @return string
*/
public static function return_regularized_url($url) {
if (filter_var($url, FILTER_VALIDATE_URL)) {
$xyz = explode('.', $url);
$y = '';
if (count($xyz) > 1) {
$j = 1;
foreach ($xyz as $x) {
if (strpos($x, 'www') !== false) {
$y .= str_replace('www', '(.*)?', $x);
} elseif (1 == $j) {
$y .= $x;
} elseif ($j > 1) {
$y .= '\.' . $x;
}
$j++;
}
//Now replace the "http" with "http(s)?" to cover both secure and non-secure
if (strpos($y, 'https') !== false) {
$y = str_replace('https', 'http(s)?', $y);
} elseif (strpos($y, 'http') !== false) {
$y = str_replace('http', 'http(s)?', $y);
}
return $y;
} else {
return $url;
}
} else {
return false;
}
}
/**
* Returns a string with <Files $filename> directive that contains rules
* to effectively block access to any file that has basename matching
* $filename under Apache webserver.
*
* @link http://httpd.apache.org/docs/current/mod/core.html#files
*
* @param string $filename
* @return string
*/
protected static function create_apache2_access_denied_rule($filename) {
return <<<END
<Files $filename>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
END;
// Keep the empty line at the end of heredoc string,
// otherwise the string will not end with end-of-line character!
}
/**
* Convert an array of optionally asterisk-masked or partial IPv4 addresses
* into network/netmask notation. Netmask value for a "full" IP is not
* added (see example below)
*
* Example:
* In: array('1.2.3.4', '5.6', '7.8.9.*')
* Out: array('1.2.3.4', '5.6.0.0/16', '7.8.9.0/24')
*
* Simple validation is performed:
* In: array('1.2.3.4.5', 'abc', '1.2.xyz.4')
* Out: array()
*
* Simple sanitization is performed:
* In: array('6.7.*.9')
* Out: array('6.7.0.0/16')
*
* @param array $ips
* @return array
*/
protected static function add_netmask($ips = array()) {
$output = array();
if (empty($ips)) return array();
foreach ($ips as $ip) {
//Check if ipv6
if (strpos($ip, ':') !== false) {
//for now support whole ipv6 and CIDR range.
$checked_ip = AIOWPSecurity_Utility_IP::is_ipv6_address_or_ipv6_range($ip);
if (false != $checked_ip) {
$output[] = $ip;
}
}
$parts = explode('.', $ip);
// Skip any IP that is empty, has more parts than expected or has
// a non-numeric first part.
if (empty($parts) || (count($parts) > 4) || !is_numeric($parts[0])) {
continue;
}
$ip_out = array($parts[0]);
$netmask = 8;
for ($i = 1, $force_zero = false; ($i < 4) && $ip_out; $i++) {
if ($force_zero || !isset($parts[$i]) || ('' === $parts[$i]) || ('*' === $parts[$i])) {
$ip_out[$i] = '0';
$force_zero = true; // Forces all subsequent parts to be a zero
} elseif (is_numeric($parts[$i])) {
$ip_out[$i] = $parts[$i];
$netmask += 8;
} else {
// Invalid IP part detected, invalidate entire IP
$ip_out = false;
}
}
if ($ip_out) {
// Glue IP back together, add netmask if IP denotes a subnet, store for output.
$output[] = implode('.', $ip_out) . (($netmask < 32) ? ('/' . $netmask) : '');
}
}
return $output;
}
}