From 6e049535e12dc9344f4b950bf24ebf4622ee63bd Mon Sep 17 00:00:00 2001
From: Mark Crane <markjcrane@gmail.com>
Date: Tue, 29 Jul 2014 04:26:32 +0000
Subject: [PATCH] Add a check for domain and api cidr

---
 app/provision/index.php |  4 ++--
 resources/pdo.php       | 31 +++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/app/provision/index.php b/app/provision/index.php
index d837b0211e..1bd6d0047f 100644
--- a/app/provision/index.php
+++ b/app/provision/index.php
@@ -103,8 +103,8 @@ require_once "resources/require.php";
 	$device_vendor = device::get_vendor($mac);
 
 //keep backwards compatibility
-	if (strlen($provision["cidr"]) > 0) {
-		$_SESSION['provision']["cidr"][] = $provision["cidr"];
+	if (strlen($_SESSION['provision']["cidr"]["text"]) > 0) {
+		$_SESSION['provision']["cidr"][] = $_SESSION['provision']["cidr"]["text"];
 	}
 
 //check the cidr range
diff --git a/resources/pdo.php b/resources/pdo.php
index 4c5400994e..c03756429c 100644
--- a/resources/pdo.php
+++ b/resources/pdo.php
@@ -288,4 +288,35 @@ if ($db_type == "pgsql") {
 		$domain_uuid = uuid();
 	}
 
+//check the domain cidr range
+	if (is_array($_SESSION['domain']["cidr"])) {
+		$found = false;
+		foreach($_SESSION['domain']["cidr"] as $cidr) {
+			if (check_cidr($cidr, $_SERVER['REMOTE_ADDR'])) {
+				$found = true;
+				break;
+			}
+		}
+		if (!$found) {
+			echo "access denied";
+			exit;
+		}
+	}
+
+//check the api cidr range
+	if (is_array($_SESSION['api']["cidr"])) {
+		$found = false;
+		foreach($_SESSION['api']["cidr"] as $cidr) {
+			if (check_cidr($cidr, $_SERVER['REMOTE_ADDR'])) {
+				$found = true;
+				break;
+			}
+		}
+		if (!$found) {
+			unset ($_REQUEST['key']);
+			unset ($_POST['key']);
+			unset ($_GET['key']);
+		}
+	}
+
 ?>
\ No newline at end of file