From 6279815f23729c1f482e95192d3449ae8b8beb06 Mon Sep 17 00:00:00 2001
From: Alex Silcock <github@alexsilcock.net>
Date: Thu, 8 Oct 2015 15:18:26 +0100
Subject: [PATCH 1/2] bug #16055 [HttpFoundation] Fixes /0 subnet handling in
 IpUtils

---
 src/Symfony/Component/HttpFoundation/IpUtils.php    | 13 +++++++------
 .../Component/HttpFoundation/Tests/IpUtilsTest.php  |  7 +++----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php
index fb906b6812d23..e08301ece16c5 100644
--- a/src/Symfony/Component/HttpFoundation/IpUtils.php
+++ b/src/Symfony/Component/HttpFoundation/IpUtils.php
@@ -57,18 +57,19 @@ public static function checkIp($requestIp, $ips)
      * @param string $requestIp IPv4 address to check
      * @param string $ip        IPv4 address or subnet in CIDR notation
      *
-     * @return bool Whether the IP is valid
+     * @return bool Whether the request IP matches the IP, or whether the request IP is within the CIDR subnet.
      */
     public static function checkIp4($requestIp, $ip)
     {
         if (false !== strpos($ip, '/')) {
-            if ('0.0.0.0/0' === $ip) {
-                return true;
-            }
-
             list($address, $netmask) = explode('/', $ip, 2);
 
-            if ($netmask < 1 || $netmask > 32) {
+            if ($netmask === '0') {
+                // Ensure IP is valid - using ip2long below implicitly validates, but we need to do it manually here
+                return filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
+            }
+
+            if ($netmask < 0 || $netmask > 32) {
                 return false;
             }
         } else {
diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
index 0002478246ab9..e06467eb209e3 100644
--- a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
@@ -30,13 +30,12 @@ public function testIpv4Provider()
             array(true, '192.168.1.1', '192.168.1.1/1'),
             array(true, '192.168.1.1', '192.168.1.0/24'),
             array(false, '192.168.1.1', '1.2.3.4/1'),
-            array(false, '192.168.1.1', '192.168.1/33'),
+            array(false, '192.168.1.1', '192.168.1.1/33'), // invalid subnet
             array(true, '192.168.1.1', array('1.2.3.4/1', '192.168.1.0/24')),
             array(true, '192.168.1.1', array('192.168.1.0/24', '1.2.3.4/1')),
             array(false, '192.168.1.1', array('1.2.3.4/1', '4.3.2.1/1')),
-            array(true, '1.2.3.4', '0.0.0.0/0'),
-            array(false, '1.2.3.4', '256.256.256/0'),
-            array(false, '1.2.3.4', '192.168.1.0/0'),
+            array(false, '1.2.3.4', '256.256.256/0'), // invalid CIDR notation
+            array(true, '1.2.3.4', '192.168.1.0/0'),
         );
     }
 

From 4d5ec5567cbf3263ba24823465e2f09e54bb49a7 Mon Sep 17 00:00:00 2001
From: Alex Silcock <github@alexsilcock.net>
Date: Thu, 8 Oct 2015 16:25:18 +0100
Subject: [PATCH 2/2] bug #16055 [HttpFoundation] Re-add a test case

---
 src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
index e06467eb209e3..e87baea34adaa 100644
--- a/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
@@ -34,8 +34,9 @@ public function testIpv4Provider()
             array(true, '192.168.1.1', array('1.2.3.4/1', '192.168.1.0/24')),
             array(true, '192.168.1.1', array('192.168.1.0/24', '1.2.3.4/1')),
             array(false, '192.168.1.1', array('1.2.3.4/1', '4.3.2.1/1')),
-            array(false, '1.2.3.4', '256.256.256/0'), // invalid CIDR notation
+            array(true, '1.2.3.4', '0.0.0.0/0'),
             array(true, '1.2.3.4', '192.168.1.0/0'),
+            array(false, '1.2.3.4', '256.256.256/0'), // invalid CIDR notation
         );
     }