From 8ad32f0ef56b13fb7930fea9dcface331f6ded22 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Tue, 10 Oct 2017 10:04:23 +0200 Subject: [PATCH] never match invalid IP addresses --- .../Component/HttpFoundation/IpUtils.php | 4 ++++ .../HttpFoundation/Tests/IpUtilsTest.php | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php index dc6d3ec818a32..3bb33140f5055 100644 --- a/src/Symfony/Component/HttpFoundation/IpUtils.php +++ b/src/Symfony/Component/HttpFoundation/IpUtils.php @@ -87,6 +87,10 @@ public static function checkIp4($requestIp, $ip) $netmask = 32; } + if (false === ip2long($address)) { + return self::$checkedIps[$cacheKey] = false; + } + return self::$checkedIps[$cacheKey] = 0 === substr_compare(sprintf('%032b', ip2long($requestIp)), sprintf('%032b', ip2long($address)), 0, $netmask); } diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php index 297ee3d8d3542..54cbb5c20672d 100644 --- a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php +++ b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php @@ -82,4 +82,21 @@ public function testAnIpv6WithOptionDisabledIpv6() IpUtils::checkIp('2a01:198:603:0:396e:4789:8e99:890f', '2a01:198:603:0::/65'); } + + /** + * @dataProvider invalidIpAddressData + */ + public function testInvalidIpAddressesDoNotMatch($requestIp, $proxyIp) + { + $this->assertFalse(IpUtils::checkIp4($requestIp, $proxyIp)); + } + + public function invalidIpAddressData() + { + return array( + 'invalid proxy wildcard' => array('192.168.20.13', '*'), + 'invalid proxy missing netmask' => array('192.168.20.13', '0.0.0.0'), + 'invalid request IP with invalid proxy wildcard' => array('0.0.0.0', '*'), + ); + } }