return true;
}
+// ttValidIP is used to check user input to validate a comma-separated
+// list of IP subnet "prefixes", for example 192.168.0 (note: no .* in the end).
+// We keep regexp checks here simple - they are not precise.
+// For example, IPv4-mapped IPv6 addresses will fail. This may need to be fixed.
+function ttValidIP($val, $emptyValid = false)
+{
+ $val = trim($val);
+ if (strlen($val) == 0 && !$emptyValid)
+ return false;
+
+ $subnets = explode(',', $val);
+ foreach ($subnets as $subnet) {
+ $ipv4 = preg_match('/^\d\d?\d?(\.\d\d?\d?){0,3}\.?$/', $subnet); // Not precise check.
+ $ipv6 = preg_match('/^([0-9a-fA-F]{4})(:[0-9a-fA-F]{4}){0,7}$/', $subnet); // Not precise check.
+ if (!$ipv4 && !$ipv6)
+ return false;
+ }
+ return true;
+}
+
// ttAccessAllowed checks whether user is allowed access to a particular page.
// It is used as an initial check on all publicly available pages
// (except login.php, register.php, and others where we don't have to check).
$allowed_ip_array = explode(',', $user->allow_ip);
foreach ($allowed_ip_array as $allowed_ip) {
$len = strlen($allowed_ip);
- if (substr($user_ip, 0, $len) === $allowed_ip) {
+ if (substr($user_ip, 0, $len) === $allowed_ip) { // startsWith check.
$access_allowed = true;
break;
}
<br>
<table cellspacing="0" cellpadding="4" width="100%" border="0">
<tr>
- <td align="center"> Anuko Time Tracker 1.17.83.4204 | Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+ <td align="center"> Anuko Time Tracker 1.17.83.4205 | Copyright © <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
<a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
<a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
<a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
if (!ttValidString($cl_currency, true)) $err->add($i18n->get('error.field'), $i18n->get('label.currency'));
if ($user->can('manage_advanced_settings')) {
if (!ttValidEmail($cl_bcc_email, true)) $err->add($i18n->get('error.field'), $i18n->get('label.bcc'));
- // TODO: how about writing ttValidIP?
- if (!ttValidString($cl_allow_ip, true)) $err->add($i18n->get('error.field'), $i18n->get('form.profile.allow_ip'));
+ if (!ttValidIP($cl_allow_ip, true)) $err->add($i18n->get('error.field'), $i18n->get('form.profile.allow_ip'));
}
// Finished validating user input.