From e8fdc4762a01753f3f6488524b7aa70b666799c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 1 Dec 2024 19:30:20 +0100
Subject: [PATCH 1/2] [HttpFoundation] Fixed `IpUtils::anonymize` exception
 when using IPv6 link-local addresses with RFC4007 scoping

---
 IpUtils.php           | 10 ++++++++++
 Tests/IpUtilsTest.php |  1 +
 2 files changed, 11 insertions(+)

diff --git a/IpUtils.php b/IpUtils.php
index ceab620c2..18b1c5faf 100644
--- a/IpUtils.php
+++ b/IpUtils.php
@@ -182,6 +182,16 @@ public static function checkIp6(string $requestIp, string $ip): bool
      */
     public static function anonymize(string $ip): string
     {
+        /**
+         * If the IP contains a % symbol, then it is a local-link address with scoping according to RFC 4007
+         * In that case, we only care about the part before the % symbol, as the following functions, can only work with
+         * the IP address itself. As the scope can leak information (containing interface name), we do not want to
+         * include it in our anonymized IP data.
+         */
+        if (str_contains($ip, '%')) {
+            $ip = substr($ip, 0, strpos($ip, '%'));
+        }
+
         $wrappedIPv6 = false;
         if (str_starts_with($ip, '[') && str_ends_with($ip, ']')) {
             $wrappedIPv6 = true;
diff --git a/Tests/IpUtilsTest.php b/Tests/IpUtilsTest.php
index ce93c69e9..2a86fbc2d 100644
--- a/Tests/IpUtilsTest.php
+++ b/Tests/IpUtilsTest.php
@@ -147,6 +147,7 @@ public static function anonymizedIpData()
             ['[2a01:198::3]', '[2a01:198::]'],
             ['::ffff:123.234.235.236', '::ffff:123.234.235.0'], // IPv4-mapped IPv6 addresses
             ['::123.234.235.236', '::123.234.235.0'], // deprecated IPv4-compatible IPv6 address
+            ['fe80::1fc4:15d8:78db:2319%enp4s0', 'fe80::'], // IPv6 link-local with RFC4007 scoping
         ];
     }
 

From d0492d6217e5ab48f51fca76f64cf8e78919d0db Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Tue, 7 Jan 2025 18:11:41 +0100
Subject: [PATCH 2/2] [HttpFoundation][FrameworkBundle] Reset Request's formats
 using the service resetter

---
 RequestStack.php           |  7 +++++++
 Tests/RequestStackTest.php | 14 ++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/RequestStack.php b/RequestStack.php
index 5aa8ba793..ca61eef29 100644
--- a/RequestStack.php
+++ b/RequestStack.php
@@ -106,4 +106,11 @@ public function getSession(): SessionInterface
 
         throw new SessionNotFoundException();
     }
+
+    public function resetRequestFormats(): void
+    {
+        static $resetRequestFormats;
+        $resetRequestFormats ??= \Closure::bind(static fn () => self::$formats = null, null, Request::class);
+        $resetRequestFormats();
+    }
 }
diff --git a/Tests/RequestStackTest.php b/Tests/RequestStackTest.php
index 2b26ce5c6..3b958653f 100644
--- a/Tests/RequestStackTest.php
+++ b/Tests/RequestStackTest.php
@@ -67,4 +67,18 @@ public function testGetParentRequest()
         $requestStack->push($secondSubRequest);
         $this->assertSame($firstSubRequest, $requestStack->getParentRequest());
     }
+
+    public function testResetRequestFormats()
+    {
+        $requestStack = new RequestStack();
+
+        $request = Request::create('/foo');
+        $request->setFormat('foo', ['application/foo']);
+
+        $this->assertSame(['application/foo'], $request->getMimeTypes('foo'));
+
+        $requestStack->resetRequestFormats();
+
+        $this->assertSame([], $request->getMimeTypes('foo'));
+    }
 }