From 7de2f8d9b856867cc548029c54e7e2db2290d42b Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Fri, 30 Mar 2018 22:14:03 +0000
Subject: [PATCH] Wrote ttValidIP function to filter out most of bogus IP
 input.

---
 WEB-INF/lib/common.lib.php   | 22 +++++++++++++++++++++-
 WEB-INF/templates/footer.tpl |  2 +-
 group_edit.php               |  3 +--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php
index 210ec41c..629e7d78 100644
--- a/WEB-INF/lib/common.lib.php
+++ b/WEB-INF/lib/common.lib.php
@@ -325,6 +325,26 @@ function ttValidCondition($val, $emptyValid = true)
   return true;
 }
 
+// ttValidIP is used to check user input to validate a comma-separated
+// list of IP subnet "prefixes", for example 192.168.0 (note: no .* in the end).
+// We keep regexp checks here simple - they are not precise.
+// For example, IPv4-mapped IPv6 addresses will fail. This may need to be fixed.
+function ttValidIP($val, $emptyValid = false)
+{
+  $val = trim($val);
+  if (strlen($val) == 0 && !$emptyValid)
+    return false;
+
+  $subnets = explode(',', $val);
+  foreach ($subnets as $subnet) {
+    $ipv4 = preg_match('/^\d\d?\d?(\.\d\d?\d?){0,3}\.?$/', $subnet); // Not precise check.
+    $ipv6 = preg_match('/^([0-9a-fA-F]{4})(:[0-9a-fA-F]{4}){0,7}$/', $subnet); // Not precise check.
+    if (!$ipv4 && !$ipv6)
+      return false;
+  }
+  return true;
+}
+
 // ttAccessAllowed checks whether user is allowed access to a particular page.
 // It is used as an initial check on all publicly available pages
 // (except login.php, register.php, and others where we don't have to check).
@@ -346,7 +366,7 @@ function ttAccessAllowed($required_right)
     $allowed_ip_array = explode(',', $user->allow_ip);
     foreach ($allowed_ip_array as $allowed_ip) {
       $len = strlen($allowed_ip);
-      if (substr($user_ip, 0, $len) === $allowed_ip) {
+      if (substr($user_ip, 0, $len) === $allowed_ip) { // startsWith check.
          $access_allowed = true;
          break;
       }
diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index 5db80101..4a5ef36b 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.17.83.4204 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.17.83.4205 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/group_edit.php b/group_edit.php
index 1d42ed67..128365f3 100644
--- a/group_edit.php
+++ b/group_edit.php
@@ -214,8 +214,7 @@ if ($request->isPost()) {
   if (!ttValidString($cl_currency, true)) $err->add($i18n->get('error.field'), $i18n->get('label.currency'));
   if ($user->can('manage_advanced_settings')) {
     if (!ttValidEmail($cl_bcc_email, true)) $err->add($i18n->get('error.field'), $i18n->get('label.bcc'));
-    // TODO: how about writing ttValidIP?
-    if (!ttValidString($cl_allow_ip, true)) $err->add($i18n->get('error.field'), $i18n->get('form.profile.allow_ip'));
+    if (!ttValidIP($cl_allow_ip, true)) $err->add($i18n->get('error.field'), $i18n->get('form.profile.allow_ip'));
   }
   // Finished validating user input.
 
-- 
2.20.1