ICANN RST Fixes

2025-07-21 18:16:03 +02:00 · 2025-04-28 14:20:34 +03:00 · 2025-04-28 14:20:34 +03:00 · 193cac6d0e
commit 193cac6d0e
parent b598925bc5
3 changed files with 53 additions and 36 deletions
--- a/epp/src/helpers.php
+++ b/epp/src/helpers.php
@ -1032,4 +1032,12 @@ function validateHostName(string $hostName): bool
        '/^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/',
        $asciiHostName
    );
+}
+
+function ipMatches($ip, $cidr) {
+    list($subnet, $mask) = explode('/', $cidr);
+    $ipLong = ip2long($ip);
+    $subnetLong = ip2long($subnet);
+    $maskLong = -1 << (32 - (int)$mask);
+    return ($ipLong & $maskLong) === ($subnetLong & $maskLong);
 }
--- a/epp/start_epp.php
+++ b/epp/start_epp.php
@ -91,9 +91,18 @@ $server->handle(function (Connection $conn) use ($table, $pool, $c, $log, $permi

    // Check if the IP is in the permitted list
    if (!$permittedIPsTable->exist($clientIP)) {
-        $log->warning('Access denied. The IP address ' . $clientIP . ' is not authorized for this service.');
-        $conn->close();
-        return;
+        $allowed = false;
+        foreach ($permittedIPsTable as $row) {
+            if (strpos($row['addr'], '/') !== false && ipMatches($clientIP, $row['addr'])) {
+                $allowed = true;
+                break;
+            }
+        }
+        if (!$allowed) {
+            $log->warning('Access denied. The IP address ' . $clientIP . ' is not authorized for this service.');
+            $conn->close();
+            return;
+        }
    }

    if (($c['rately'] == true) && ($rateLimiter->isRateLimited('epp', $clientIP, $c['limit'], $c['period']))) {