search

jcrodriguez-dis / moodle-mod_vpl

Virtual Programming Lab for Moodle (Module)
GNU General Public License v3.0
100 stars 88 forks source link

[3.2.4] "Allowed submission from net" setting does not filter all IPs #57

Closed rhobincu closed 6 years ago

rhobincu commented 6 years ago

Hello,

We have several VPL assignments configured on Moodle, each with the same three allowed IP addresses. The Allowed submission from net setting is configured as follows: ABC.DEF.160.17,ABC.DEF.160.10,ABC.DEF.160.19 where ABC.DEF are the first 2 bytes, the same in all three addresses.

However, we have noticed and verified logins from the following two IPs: ABC.DEF.160.22 (as reported by whatismyip.com) ABC.DEF.0.99 (as reported by Moodle logs)

A third, completely random IP, was correctly blocked.

This is a serious problem for us, since we use VPL to evaluate 1000 students in an official exam in our University.

jcrodriguez-dis commented 6 years ago

Hello rhobincu, of course, any unallowed access to a VPL activity is a critical isssue. In this case I has not been able to reproducethe problem. The code that tests if an IP is allowed is simple and uses two Moodle functions: getremoteaddr( ) and address_in_subnet( ). See code https://github.com/jcrodriguez-dis/moodle-mod_vpl/blob/fb0af546fed3603c6b25b8e1cbb15a4a6b894410/vpl.class.php#L550 getremoteaddr() return the more reliable address of the remote client and address_in_subnet(IP, NETS) test if the IP is in one of the networks. The documentation of address_in_subnet say:

address_in_subnet(string $addr, string $subnetstr) : bool Function to check the passed address is within the passed subnet The parameter is a comma separated string of subnet definitions. Subnet strings can be in one of three formats: 1) xxx.xxx.xxx.xxx/nn or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/nnn (number of bits in net mask) 2) xxx.xxx.xxx.xxx-yyy or xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx::xxxx-yyyy (a range of IP addresses in the last group) 3) xxx.xxx or xxx.xxx. or xxx:xxx:xxxx or xxx:xxx:xxxx. (incomplete address, a bit non-technical ;-)

Code for type 1 modified from user posted comments by mediator at http://au.php.net/manual/en/function.ip2long.php

Please, check that your network restriction is correctly set. Beware that due to network topology (proxy, NAT, private networks) a remote client can be see with different IPs from different places.

I have added unit tests to check the address_in_subnet function and the function has passed the tests. If you get more information to reproduce the problem, please let me know.

Best regards, Juan Carlos.

rhobincu commented 6 years ago

Ok, I JUST found the problem: user error. :(

I wrote all three addresses on one line, as it's the only way to do it, and I accidentally replaced a dot with a comma. So instead of xxx.xxx.160.17,xxx.xxx.160.10,xxx.xxx.160.19 I wrote xxx.xxx.160.17,xxx.xxx,160.10,xxx.xxx.160.19

Notice the problem? I didn't... :)