Symfony version(s) affected

6.1.x

Description

The IpUtils::checkIp6 method validates that IPv6 loopback addresses ::1 are in the IPv4 0.0.0.0/8 subnet.

I don't know much about IPv6 networking and therefor I am not sure if this is expected behavior. I couldn't find any clear information if IPv4 and IPv6 subnet matching SHOULD be compatible.

How to reproduce

use Symfony\Component\HttpFoundation\IpUtils;

var_dump(IpUtils::checkIp('::1', '0.0.0.0/8')); // true

Possible Solution

I'm going to be totally honest, I don't have any clue how the IPv6 net mask validation works but my guess, if this really is a bug, is that there is a logic error because ::1 implies that the first 6 bits are 0.

Additional Context

Again, I don't understand the byte magic that is happening in IpUtils::checkIp6, but my guess is that older version of http-foundation are also affected by this.