@@ -63,24 +63,14 @@ function os2forms_digital_signature_file_download($uri) {
6363 $allowedIpsArr = array_filter($allowedIpsArr);
6464 $remoteIp = \Drupal::request()->getClientIp();
6565
66- // IP list is empty, allow access .
67- if (empty($allowedIpsArr)) {
66+ // Check if remote IP matches any allowed IP or CIDR range .
67+ if (empty($allowedIpsArr) || IpUtils::checkIp($remoteIp, $allowedIpsArr) ) {
6868 $basename = basename($uri);
6969 return [
7070 'Content-disposition' => 'attachment; filename="' . $basename . '"',
7171 ];
7272 }
7373
74- // Check if remote IP matches any allowed IP or CIDR range.
75- foreach ($allowedIpsArr as $allowedIp) {
76- if ($remoteIp === $allowedIp || os2forms_digital_signature_ip_in_cidr($remoteIp, $allowedIp)) {
77- $basename = basename($uri);
78- return [
79- 'Content-disposition' => 'attachment; filename="' . $basename . '"',
80- ];
81- }
82- }
83-
8474 // Deny access and log warning.
8575 \Drupal::logger('os2forms_digital_signature')->warning('File download denied for IP @ip on URI @uri. Allowed IPs: @allowed', [
8676 '@ip' => $remoteIp,
@@ -94,18 +84,3 @@ function os2forms_digital_signature_file_download($uri) {
9484 // Not submission file, allow normal access.
9585 return NULL;
9686}
97-
98- /**
99- * Check if an IP address is within a CIDR range.
100- *
101- * @param string $ip
102- * The IP address to check.
103- * @param string $cidr
104- * The CIDR range (e.g. "172.16.0.0/16").
105- *
106- * @return bool
107- * TRUE if the IP is within the CIDR range, FALSE otherwise.
108- */
109- function os2forms_digital_signature_ip_in_cidr(string $ip, string $cidr): bool {
110- return IpUtils::checkIp($ip, $cidr);
111- }
0 commit comments