8000 The given value "127.0.0.1,127.0.0.2" in the "security.access_control" config option is not a valid IP address · Issue #40864 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

The given value "127.0.0.1,127.0.0.2" in the "security.access_control" config option is not a valid IP address #40864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zidaneus opened this issue Apr 19, 2021 · 2 comments
Closed

The given value "127.0.0.1,127.0.0.2" in the "security.access_control" config option is not a valid IP address #40864

zidaneus opened this issue Apr 19, 2021 · 2 comments
Labels
Bug Security Status: Needs Review

Comments

@zidaneus
Copy link
zidaneus commented Apr 19, 2021
edited by xabbuh
Loading

Symfony version(s) affected: 5.2.6

Description
https://symfony.com/doc/current/security/access_control.html#matching-options
ip or ips: netmasks are also supported (can be a comma-separated string)

But if you specify ip with a comma separator, then we get an error: "The given value "127.0.0.1,127.0.0.2" in the "security.access_control" config option is not a valid IP address" in \Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension::createRequestMatcher
How to reproduce
config/packages/security.yaml

security:
  ...
  access_control:
      -
         path: "^/some/path/.*$"
         ips: '127.0.0.1,127.0.0.2'
         roles: ["IS_AUTHENTICATED_ANONYMOUSLY"]
         methods: ["POST"]

Validate security bundle configuration.
@zidaneus zidaneus added the Bug label Apr 19, 2021
@xabbuh
Copy link
Member
xabbuh commented Apr 19, 2021

The documentation is misleading (the code example does it right though). Your config should be like this:

security:
  access_control:
      -
         path: "^/some/path/.*$"
         ips: ['127.0.0.1', '127.0.0.2']
         roles: ["IS_AUTHENTICATED_ANONYMOUSLY"]
         methods: ["POST"]

Closing here as there is no bug in the code.

Can you please open an issue in the documentation repository about this or send a PR that improves the current wording?

@xabbuh xabbuh closed this as completed Apr 19, 2021
@zidaneus
Copy link
Author
zidaneus commented Apr 19, 2021
edited
Loading

But in fact, you can specify ips as a string (through envs) and it works correctly (if ips = "%env(APP_IP_ADDRESSES)%"). That is, the problem occurs only when validating the bundle configuration.

@zidaneus zidaneus mentioned this issue Apr 19, 2021
Closed
@ro0NL ro0NL mentioned this issue Apr 20, 2021
Closed
@edefimov edefimov mentioned this issue Apr 22, 2021
Merged
nicolas-grekas added a commit that referenced this issue May 7, 2021
@nicolas-grekas
bug #40902 [Security] Allow ips parameter in access_control to accept…
897f287 
… comma-separated string (edefimov)

This PR was merged into the 5.2 branch.

Discussion
----------

[Security] Allow ips parameter in access_control to accept comma-separated string

| Q             | A
| ------------- | ---
| Branch?       | 5.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | #40881, #40864, #40865
| License       | MIT

PR #38149 introduced a new feature to accept a comma-separated string in ip adresses setting in `access_control` configuration  section of security bundle.

However the feature works in inconsistent manner: comma-separated string can be successfully passed via environment variable, but can not be passed as plain string. This PR changes this inconsistent behavior by allowing validation pass if comma-separated list of ip addresses is given in plain string.

More detailed explanation about the inconsistent behavior can be found [here](#40881 (comment))

Commits
-------

8947482 [SecurityBundle] Allow ips parameter in access_control accept comma-separated string
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xabbuh @zidaneus @carsonbot
0