[HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected

bonroyage · fabpot · commit 2170d3cd7105 · 2022-12-09T09:19:19.000+01:00
diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php
@@ -125,17 +125,17 @@ public static function checkIp6($requestIp, $ip)
         }
 
         // Check to see if we were given a IP4 $requestIp or $ip by mistake
-        if (str_contains($requestIp, '.') || str_contains($ip, '.')) {
-            return self::$checkedIps[$cacheKey] = false;
-        }
-
         if (!filter_var($requestIp, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
             return self::$checkedIps[$cacheKey] = false;
         }
 
         if (str_contains($ip, '/')) {
             [$address, $netmask] = explode('/', $ip, 2);
 
+            if (!filter_var($address, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
+                return self::$checkedIps[$cacheKey] = false;
+            }
+
             if ('0' === $netmask) {
                 return (bool) unpack('n*', @inet_pton($address));
             }
@@ -144,6 +144,10 @@ public static function checkIp6($requestIp, $ip)
                 return self::$checkedIps[$cacheKey] = false;
             }
         } else {
+            if (!filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
+                return self::$checkedIps[$cacheKey] = false;
+            }
+
             $address = $ip;
             $netmask = 128;
         }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
@@ -77,6 +77,7 @@ public function getIpv6Data()
             [false, '0.0.0.0/8', '::1'],
             [false,  '::1', '127.0.0.1'],
             [false,  '::1', '0.0.0.0/8'],
+            [true, '::ffff:10.126.42.2', '::ffff:10.0.0.0/0'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -125,17 +125,17 @@ public static function checkIp6($requestIp, $ip)`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`// Check to see if we were given a IP4 $requestIp or $ip by mistake`
`128`		`- if (str_contains($requestIp, '.') \|\| str_contains($ip, '.')) {`
`129`		`- return self::$checkedIps[$cacheKey] = false;`
`130`		`- }`
`131`		`-`
`132`	`128`	`if (!filter_var($requestIp, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {`
`133`	`129`	`return self::$checkedIps[$cacheKey] = false;`
`134`	`130`	`}`
`135`	`131`
`136`	`132`	`if (str_contains($ip, '/')) {`
`137`	`133`	`[$address, $netmask] = explode('/', $ip, 2);`
`138`	`134`
	`135`	`+ if (!filter_var($address, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {`
	`136`	`+ return self::$checkedIps[$cacheKey] = false;`
	`137`	`+ }`
	`138`	`+`
`139`	`139`	`if ('0' === $netmask) {`
`140`	`140`	`return (bool) unpack('n*', @inet_pton($address));`
`141`	`141`	`}`
`@@ -144,6 +144,10 @@ public static function checkIp6($requestIp, $ip)`
`144`	`144`	`return self::$checkedIps[$cacheKey] = false;`
`145`	`145`	`}`
`146`	`146`	`} else {`
	`147`	`+ if (!filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {`
	`148`	`+ return self::$checkedIps[$cacheKey] = false;`
	`149`	`+ }`
	`150`	`+`
`147`	`151`	`$address = $ip;`
`148`	`152`	`$netmask = 128;`
`149`	`153`	`}`
Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ public function getIpv6Data()`
`77`	`77`	`[false, '0.0.0.0/8', '::1'],`
`78`	`78`	`[false, '::1', '127.0.0.1'],`
`79`	`79`	`[false, '::1', '0.0.0.0/8'],`
	`80`	`+ [true, '::ffff:10.126.42.2', '::ffff:10.0.0.0/0'],`
`80`	`81`	`];`
`81`	`82`	`}`
`82`	`83`