Skip to content

[HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected #48420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bonroyage opened this issue Dec 1, 2022 · 4 comments
Closed

[HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected #48420

bonroyage opened this issue Dec 1, 2022 · 4 comments
Labels
Bug HttpFoundation Status: Needs Review

Comments

@bonroyage
Copy link
Contributor

bonroyage commented Dec 1, 2022
edited
Loading

Symfony version(s) affected

6.1.8

Description

IPv4 to IPv6 mapped addresses are incorrectly rejected by the checkIp6 function, because of the check for dots added in #48050. For example, Azure Frontdoor makes requests where the IP address is listed as ::ffff:147.243.231.120. This broke my Laravel installation because suddenly these requests were blocked by the TrustProxies middleware

How to reproduce

In 6.1.7:

\Symfony\Component\HttpFoundation\IpUtils::checkIp6('::ffff:147.243.231.120', '::ffff:147.243.0.0/16')
// true

In 6.1.8:

\Symfony\Component\HttpFoundation\IpUtils::checkIp6('::ffff:147.243.231.120', '::ffff:147.243.0.0/16')
// false

Possible Solution

Remove the check for dots, because pure IPv4 are rejected by the filter_var function when the IPv6 flag is added

filter_var("10.0.0.1", \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)
// false

While those in IPv6 notation are allowed

filter_var("::ffff:10.0.0.1", \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)
// "::ffff:10.0.0.1"

But to also check that the $ip is valid IPv6, check that it is valid with the filter_var function

Additional Context

In RFC-4291, dots are allowed in IPv6 addresses

2.2. Text Representation of Addresses

3. An alternative form that is sometimes more convenient when dealing
      with a mixed environment of IPv4 and IPv6 nodes is
      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
      the six high-order 16-bit pieces of the address, and the 'd's are
      the decimal values of the four low-order 8-bit pieces of the
      address (standard IPv4 representation).  Examples:

         0:0:0:0:0:0:13.1.68.3

         0:0:0:0:0:FFFF:129.144.52.38

      or in compressed form:

         ::13.1.68.3

         ::FFFF:129.144.52.38

2.5.5.2. IPv4-Mapped IPv6 Address

   A second type of IPv6 address that holds an embedded IPv4 address is
   defined.  This address type is used to represent the addresses of
   IPv4 nodes as IPv6 addresses.  The format of the "IPv4-mapped IPv6
   address" is as follows:

   |                80 bits               | 16 |      32 bits        |
   +--------------------------------------+--------------------------+
   |0000..............................0000|FFFF|    IPv4 address     |
   +--------------------------------------+----+---------------------+
@bonroyage bonroyage added the Bug label Dec 1, 2022
@bonroyage bonroyage changed the title IPv4-mapped IPv6 addresses incorrectly rejected [HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected Dec 1, 2022
@bonroyage bonroyage mentioned this issue Dec 1, 2022
Merged
@PhilETaylor
Copy link
Contributor

I broke this. Sorry.

@emielmolenaar
Copy link

Same thing for us on the 6.0 branch, 6.0.16 broke things. Simple example:

6.0.16:

\Symfony\Component\HttpFoundation\IpUtils::checkIp6('::ffff:172.28.0.1', '::ffff:172.28.0.1'); 
// false

6.0.15:

\Symfony\Component\HttpFoundation\IpUtils::checkIp6('::ffff:172.28.0.1', '::ffff:172.28.0.1'); 
// true

@PhilETaylor
Copy link
Contributor

@emielmolenaar Im sorry I broke it. Please test the PR from @bonroyage at #48421

@emielmolenaar
Copy link

@PhilETaylor No worries, these things happen 😃 Will look into the PR, thanks!

@PhilETaylor PhilETaylor mentioned this issue Dec 8, 2022
Merged
@fabpot fabpot closed this as completed Dec 9, 2022
fabpot added a commit that referenced this issue Dec 9, 2022
@fabpot
bug #48421 [HttpFoundation] IPv4-mapped IPv6 addresses incorrectly re…
5ac1693 
…jected (bonroyage)

This PR was squashed before being merged into the 5.4 branch.

Discussion
----------

[HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets       | Fix #48420 <!-- prefix each issue number with "Fix #", no need to create an issue if none exists, explain below instead -->
| License       | MIT

I've based it on 4.4 because that's where #48050 was merged into, but I guess I'm 1 day too late with a fix for that version

Commits
-------

2170d3c [HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpFoundation Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fabpot @PhilETaylor @xabbuh @emielmolenaar @bonroyage @carsonbot