[HttpFoundation] Avoid warnings when checking malicious IPs

jakzal · jakzal · commit 3067bdb8d9b3 · 2016-03-10T08:48:57.000Z
diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php
@@ -112,8 +112,12 @@ public static function checkIp6($requestIp, $ip)
             $netmask = 128;
         }
 
-        $bytesAddr = unpack('n*', inet_pton($address));
-        $bytesTest = unpack('n*', inet_pton($requestIp));
+        $bytesAddr = unpack('n*', @inet_pton($address));
+        $bytesTest = unpack('n*', @inet_pton($requestIp));
+
+        if (!$bytesAddr || !$bytesTest) {
+            return false;
+        }
 
         for ($i = 1, $ceil = ceil($netmask / 16); $i <= $ceil; ++$i) {
             $left = $netmask - 16 * ($i - 1);
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -780,6 +780,8 @@ public function getClientIps()
 
             if (!filter_var($clientIp, FILTER_VALIDATE_IP)) {
                 unset($clientIps[$key]);
+
+                continue;
             }
 
             if (IpUtils::checkIp($clientIp, self::$trustedProxies)) {
diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
@@ -63,6 +63,8 @@ public function testIpv6Provider()
             array(true, '2a01:198:603:0:396e:4789:8e99:890f', array('::1', '2a01:198:603:0::/65')),
             array(true, '2a01:198:603:0:396e:4789:8e99:890f', array('2a01:198:603:0::/65', '::1')),
             array(false, '2a01:198:603:0:396e:4789:8e99:890f', array('::1', '1a01:198:603:0::/65')),
+            array(false, '}__test|O:21:&quot;JDatabaseDriverMysqli&quot;:3:{s:2', '::1'),
+            array(false, '2a01:198:603:0:396e:4789:8e99:890f', 'unknown'),
         );
     }
 
diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -866,6 +866,7 @@ public function testGetClientIpsProvider()
 
             // invalid forwarded IP is ignored
             array(array('88.88.88.88'), '127.0.0.1', 'unknown,88.88.88.88', array('127.0.0.1')),
+            array(array('88.88.88.88'), '127.0.0.1', '}__test|O:21:&quot;JDatabaseDriverMysqli&quot;:3:{s:2,88.88.88.88', array('127.0.0.1')),
         );
     }
 

Original file line number	Diff line number	Diff line change
`@@ -780,6 +780,8 @@ public function getClientIps()`
`780`	`780`
`781`	`781`	`if (!filter_var($clientIp, FILTER_VALIDATE_IP)) {`
`782`	`782`	`unset($clientIps[$key]);`
	`783`	`+`
	`784`	`+ continue;`
`783`	`785`	`}`
`784`	`786`
`785`	`787`	`if (IpUtils::checkIp($clientIp, self::$trustedProxies)) {`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,8 @@ public function testIpv6Provider()`
`63`	`63`	`array(true, '2a01:198:603:0:396e:4789:8e99:890f', array('::1', '2a01:198:603:0::/65')),`
`64`	`64`	`array(true, '2a01:198:603:0:396e:4789:8e99:890f', array('2a01:198:603:0::/65', '::1')),`
`65`	`65`	`array(false, '2a01:198:603:0:396e:4789:8e99:890f', array('::1', '1a01:198:603:0::/65')),`
	`66`	`+ array(false, '}__test\|O:21:"JDatabaseDriverMysqli":3:{s:2', '::1'),`
	`67`	`+ array(false, '2a01:198:603:0:396e:4789:8e99:890f', 'unknown'),`
`66`	`68`	`);`
`67`	`69`	`}`
`68`	`70`
Original file line number	Diff line number	Diff line change
`@@ -866,6 +866,7 @@ public function testGetClientIpsProvider()`
`866`	`866`
`867`	`867`	`// invalid forwarded IP is ignored`
`868`	`868`	`array(array('88.88.88.88'), '127.0.0.1', 'unknown,88.88.88.88', array('127.0.0.1')),`
	`869`	`+ array(array('88.88.88.88'), '127.0.0.1', '}__test\|O:21:"JDatabaseDriverMysqli":3:{s:2,88.88.88.88', array('127.0.0.1')),`
`869`	`870`	`);`
`870`	`871`	`}`
`871`	`872`