feat: add ip block list settings

Access_Core.php

@@ -92,6 +92,34 @@ class Access_Core
         return $entrypoint;
     }
 
+    /**
+     * 判断当前 IP 是否在屏蔽 IP(段) 中
+     *
+     * @access private
+     * @return bool
+     */
+    private function isBlockIp($ip): ?bool
+    {
+        $version = Access_Ip::matchIPVersion($ip);
+        if ($version === null) {
+            return false;
+        }
+
+        $lines = explode('\n', $this->config->blockIps);
+        foreach ($lines as $line) {
+            $cidr = explode('#', $line)[0];
+            $cidr = trim($cidr);
+
+            if (!empty($cidr)) {
+                if (Access_Ip::matchCIDR($cidr, $ip)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
     /**
      * 记录当前访问（管理员登录不会记录）
      *
@@ -107,6 +135,9 @@ class Access_Core
             $url = $this->request->getServer('REQUEST_URI');
         }
         $ip = $this->request->getIp();
+        if ($this->isBlockIp($ip)) {
+            return;
+        }
         if(!empty($ip)) {
             # 解析ip归属地
             try {

Access_Ip.php

@@ -0,0 +1,126 @@
+<?php
+if (!defined('__ACCESS_PLUGIN_ROOT__')) {
+    throw new Exception('Bootstrap file not found');
+}
+
+class Access_Ip
+{
+    /**
+     * Check if a string is a valid IPv4 address
+     * @param string $str test string
+     * @return bool return true if it is a valid IPv4 address
+     */
+    public static function isIPv4($str)
+    {
+        if (filter_var($str, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Check if a string is a valid IPv6 address
+     * @param string $str test string
+     * @return bool return true if it is a valid IPv6 address
+     */
+    public static function isIPv6($str)
+    {
+        if (filter_var($str, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Check if a string is a valid IP address, and return its version
+     * @param string $str test string
+     * @return number|null return version or null if it is not a ip address
+     */
+    public static function matchIPVersion($str)
+    {
+        if (Access_Ip::isIPv4($str)) {
+            return 4;
+        }
+        if (Access_Ip::isIPv6($str)) {
+            return 6;
+        }
+        return null;
+    }
+
+    /**
+     * Check if an ip address is in the CIDR subnet.
+     * @param string $cidr - an ipv6 address, ex 1.2.3.5/24, ::1, 2001:288:5200::1, :: ,etc.
+     * @param string $addr - an ip subnet, ex 1.2.3.4 or 2001:288:5400/39 or 2001:288:5432:/64 or 2001:288:5478::/64..
+     * @return bool return true if $addr is inside the $cidr subnet, or return false.
+     */
+    public static function matchCIDR($cidr, $addr)
+    {
+        $cidrVersion = Access_Ip::matchIPVersion(explode('/', $cidr)[0]);
+        $addrVersion = Access_Ip::matchIPVersion($addr);
+
+        if ($cidrVersion !== $addrVersion) {
+            return false;
+        }
+
+        if ($cidrVersion === 4) {
+            return Access_Ip::matchCIDRv4($cidr, $addr);
+        }
+
+        if ($cidrVersion === 6) {
+            return Access_Ip::matchCIDRv6($cidr, $addr);
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if an ipv4 address is in the CIDRv4 subnet.
+     * @param $cidr string an ipv4 subnet ex .. 1.2.3.5/24
+     * @param $addr string an ipv4 address ex.. 1.2.3.4
+     * @return bool return true if $ip is inside the $cidr subnet, or return false.
+     */
+    public static function matchCIDRv4($cidr, $addr)
+    {
+        $parts = explode('/', $cidr);
+        $cidr_ip = $parts[0];
+        $cidr_mask = count($parts) >= 2 ? $parts[1] : '32';
+        return (ip2long($addr) >> (32 - $cidr_mask) == ip2long($cidr_ip) >> (32 - $cidr_mask));
+    }
+
+    /**
+     * Convert an ipv6 address to bin string
+     * @param string $addr - an ipv6 address
+     * @return string return the binary string of an ipv6 address if parameter ip6 is an ipv6 address,
+     *         else it return an empty string.
+     */
+    public static function ExpandIPv6Notation2Bin($addr)
+    {
+        if (strpos($addr, '::') !== false) {
+            $addr = str_replace('::', str_repeat(':0', 8 - substr_count($addr, ':')) . ':', $addr);
+        }
+        $ip6parts = explode(':', $addr);
+        $res = "";
+        foreach ($ip6parts as $part) {
+            $res .= str_pad(base_convert($part, 16, 2), 16, 0, STR_PAD_LEFT);
+        }
+        return $res;
+    }
+
+    /**
+     * Check if an ipv6 address is in the CIDRv6 subnet.
+     * @param string $cidr - an ipv6 subnet, ex 2001:288:5400/39 or 2001:288:5432:/64 or 2001:288:5478::/64..
+     * @param string $addr - an ipv6 address, ex ::1, 2001:288:5200::1, :: ,etc.
+     * @return bool return true if $addr is inside the $cidr subnet, or return false.
+     */
+    public static function MatchCIDRv6($cidr, $addr)
+    {
+        $parts = explode('/', $cidr);
+        $cidr_ip = $parts[0];
+        $cidr_mask = count($parts) >= 2 ? $parts[1] : '128';
+        $cidr_bin = substr(Access_Ip::ExpandIPv6Notation2Bin($cidr_ip), 0, $cidr_mask);
+        $ip_bin = substr(Access_Ip::ExpandIPv6Notation2Bin($addr), 0, $cidr_mask);
+        if (!strcmp($cidr_bin, $ip_bin))
+            return true;
+        return false;
+    }
+}

Plugin.php

@@ -75,9 +75,13 @@ class Access_Plugin implements Typecho_Plugin_Interface
                 '0' => '后端',
                 '1' => '前端',
             ), '0', '日志写入类型:', '请选择日志写入类型，如果写入速度较慢可选择前端写入日志。<br/>如果您使用了pjax，请在pjax相关事件中调用 window.Access.track() 方法。');
+        $blockIps = new Typecho_Widget_Helper_Form_Element_Textarea(
+            'blockIps', null, '',
+            'IP 黑名单', '每行一个，不记录来自这些 IP 的访问记录，支持 CIDR 掩码配置，支持 # 行注释');
         $form->addInput($pageSize);
         $form->addInput($isDrop);
         $form->addInput($writeType);
+        $form->addInput($blockIps);
     }
 
     /**