diff options
| -rw-r--r-- | config/global.php | 39 | ||||
| -rw-r--r-- | plugins/CoreHome/tests/Integration/LoginAllowlistTest.php | 8 |
2 files changed, 32 insertions, 15 deletions
diff --git a/config/global.php b/config/global.php index f7834df256..1e43a2e479 100644 --- a/config/global.php +++ b/config/global.php @@ -167,24 +167,35 @@ return array( foreach ($ips as $ip) { $ip = trim($ip); - if (filter_var($ip, FILTER_VALIDATE_IP)) { + if (filter_var($ip, FILTER_VALIDATE_IP) || \Matomo\Network\IPUtils::getIPRangeBounds($ip) !== null) { $ipsResolved[] = $ip; } else { - $ipFromHost = @gethostbyname($ip); - if (!empty($ipFromHost)) { - // we don't check using filter_var if it's an IP as "gethostbyname" will return the $ip if it's not a hostname - // and we then assume it is an IP range. Otherwise IP ranges would not be added. Ideally would above check if it is an - // IP range before trying to get host by name. - $ipsResolved[] = $ipFromHost; - } - - if (function_exists('dns_get_record')) { - $entry = @dns_get_record($ip, DNS_AAAA); - if (!empty($entry['0']['ipv6']) - && filter_var($entry['0']['ipv6'], FILTER_VALIDATE_IP)) { - $ipsResolved[] = $entry['0']['ipv6']; + $lazyCache = \Piwik\Cache::getLazyCache(); + $cacheKey = 'DNS.' . md5($ip); + + $resolvedIps = $lazyCache->fetch($cacheKey); + + if (!is_array($resolvedIps)) { + $resolvedIps = []; + + $ipFromHost = @gethostbyname($ip); + if (!empty($ipFromHost) && $ipFromHost !== $ip) { + $resolvedIps[] = $ipFromHost; + } + + if (function_exists('dns_get_record')) { + $entry = @dns_get_record($ip, DNS_AAAA); + + if (!empty($entry['0']['ipv6']) + && filter_var($entry['0']['ipv6'], FILTER_VALIDATE_IP)) { + $resolvedIps[] = $entry['0']['ipv6']; + } } + + $lazyCache->save($cacheKey, $resolvedIps, 30); } + + $ipsResolved = array_merge($ipsResolved, $resolvedIps); } } diff --git a/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php index bfec00497f..f22ff358a3 100644 --- a/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php +++ b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php @@ -138,7 +138,13 @@ class LoginAllowlistTest extends IntegrationTestCase public function test_getAllowlistedLoginIps_shouldResolveIpv6Only() { $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', 'integration-test.matomo.org', '127.0.0.1']); - $this->assertSame(['192.168.33.1', 'integration-test.matomo.org', '::1', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); + $this->assertSame(['192.168.33.1', '::1', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldReturnRanges() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', '204.93.177.0/25', '2001:db9::/48', '127.0.0.1']); + $this->assertSame(['192.168.33.1', '204.93.177.0/25', '2001:db9::/48', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); } public function test_getAllowlistedLoginIps_shouldNotBeCheckedIfOnlyEmptyEntries() |