bug #48421 [HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected (bonroyage)

fabpot · fabpot · commit 5ac16939d707 · 2022-12-09T09:19:23.000+01:00
This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no  | Deprecations? | no  | Tickets | Fix #48420  | License | MIT I've based it on 4.4 because that's where #48050 was merged into, but I guess I'm 1 day too late with a fix for that version Commits ------- 2170d3c [HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected
diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php
@@ -136,17 +136,17 @@ public static function checkIp6(?string $requestIp, string $ip)
         }
 
         // Check to see if we were given a IP4 $requestIp or $ip by mistake
-        if (str_contains($requestIp, '.') || str_contains($ip, '.')) {
-            return self::$checkedIps[$cacheKey] = false;
-        }
-
         if (!filter_var($requestIp, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
             return self::$checkedIps[$cacheKey] = false;
         }
 
         if (str_contains($ip, '/')) {
             [$address, $netmask] = explode('/', $ip, 2);
 
+            if (!filter_var($address, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
+                return self::$checkedIps[$cacheKey] = false;
+            }
+
             if ('0' === $netmask) {
                 return (bool) unpack('n*', @inet_pton($address));
             }
@@ -155,6 +155,10 @@ public static function checkIp6(?string $requestIp, string $ip)
                 return self::$checkedIps[$cacheKey] = false;
             }
         } else {
+            if (!filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
+                return self::$checkedIps[$cacheKey] = false;
+            }
+
             $address = $ip;
             $netmask = 128;
         }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
@@ -78,6 +78,7 @@ public function getIpv6Data()
             [false, '0.0.0.0/8', '::1'],
             [false,  '::1', '127.0.0.1'],
             [false,  '::1', '0.0.0.0/8'],
+            [true, '::ffff:10.126.42.2', '::ffff:10.0.0.0/0'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -136,17 +136,17 @@ public static function checkIp6(?string $requestIp, string $ip)`
`136`	`136`	`}`
`137`	`137`
`138`	`138`	`// Check to see if we were given a IP4 $requestIp or $ip by mistake`
`139`		`- if (str_contains($requestIp, '.') \|\| str_contains($ip, '.')) {`
`140`		`- return self::$checkedIps[$cacheKey] = false;`
`141`		`- }`
`142`		`-`
`143`	`139`	`if (!filter_var($requestIp, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {`
`144`	`140`	`return self::$checkedIps[$cacheKey] = false;`
`145`	`141`	`}`
`146`	`142`
`147`	`143`	`if (str_contains($ip, '/')) {`
`148`	`144`	`[$address, $netmask] = explode('/', $ip, 2);`
`149`	`145`
	`146`	`+ if (!filter_var($address, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {`
	`147`	`+ return self::$checkedIps[$cacheKey] = false;`
	`148`	`+ }`
	`149`	`+`
`150`	`150`	`if ('0' === $netmask) {`
`151`	`151`	`return (bool) unpack('n*', @inet_pton($address));`
`152`	`152`	`}`
`@@ -155,6 +155,10 @@ public static function checkIp6(?string $requestIp, string $ip)`
`155`	`155`	`return self::$checkedIps[$cacheKey] = false;`
`156`	`156`	`}`
`157`	`157`	`} else {`
	`158`	`+ if (!filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {`
	`159`	`+ return self::$checkedIps[$cacheKey] = false;`
	`160`	`+ }`
	`161`	`+`
`158`	`162`	`$address = $ip;`
`159`	`163`	`$netmask = 128;`
`160`	`164`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ public function getIpv6Data()`
`78`	`78`	`[false, '0.0.0.0/8', '::1'],`
`79`	`79`	`[false, '::1', '127.0.0.1'],`
`80`	`80`	`[false, '::1', '0.0.0.0/8'],`
	`81`	`+ [true, '::ffff:10.126.42.2', '::ffff:10.0.0.0/0'],`
`81`	`82`	`];`
`82`	`83`	`}`
`83`	`84`