IP based access_control fails inversely #3812
Conversation
…oundation\RequestMatcher
|
The RequestMatcher has a method |
|
btw, this would break the limitation of the profiler to specific IP addresses, but enabling the profiler for all IPs except the specified ones. |
|
Could you open a ticket on the docs repository? This patch cannot be applied. |
|
There is still an issue here. The point is what stof described is already happening to the access control rules. Anyone coming from an IP address defined in security.yml is rejected. This is the offending logic. Clearly there is an inconsistency somewhere in the code since two separate functions using the same class for the same function are behaving differently. Is the doc repository the best place to file this issue? |
|
Maybe we can add another matcher implementation, but this patch would create security vulnerabilities in many applications. |
This control does the opposite of what the documentation states. Addresses defined in security.yml are denied rather than allowed if the request IP matches. I pulled the logic from checkIp4() and checkIp6() and the logic is correct there. Issue is the inversion in matches() line 139.