Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php
index 12748e0dd62e386250f688ed259295edf857859f..6428f7116b0e056bca561f562d90a7b2c23c262a 100644 (file)
--- a/lib/private/AppFramework/Http/Request.php
+++ b/lib/private/AppFramework/Http/Request.php
@@ -653,6 +653,12 @@ class Request implements \ArrayAccess, \Countable, IRequest {
                                if (isset($this->server[$header])) {
                                        foreach (explode(',', $this->server[$header]) as $IP) {
                                                $IP = trim($IP);
+
+                                               // remove brackets from IPv6 addresses
+                                               if (strpos($IP, '[') === 0 && substr($IP, -1) === ']') {
+                                                       $IP = substr($IP, 1, -1);
+                                               }
+
                                                if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
                                                        return $IP;
                                                }

diff --git a/tests/lib/AppFramework/Http/RequestTest.php b/tests/lib/AppFramework/Http/RequestTest.php
index a8e2f2248c60e85341770e684e6db3b9eae51eda..7260b31b27ed94874c29c38884102e0c0edb8f69 100644 (file)
--- a/tests/lib/AppFramework/Http/RequestTest.php
+++ b/tests/lib/AppFramework/Http/RequestTest.php
@@ -632,6 +632,34 @@ class RequestTest extends \Test\TestCase {
                $this->assertSame('192.168.3.99', $request->getRemoteAddress());
        }
 
+       public function testGetRemoteAddressWithXForwardedForIPv6() {
+               $this->config
+                       ->expects($this->at(0))
+                       ->method('getSystemValue')
+                       ->with('trusted_proxies')
+                       ->willReturn(['192.168.2.0/24']);
+               $this->config
+                       ->expects($this->at(1))
+                       ->method('getSystemValue')
+                       ->with('forwarded_for_headers')
+                       ->willReturn(['HTTP_X_FORWARDED_FOR']);
+
+               $request = new Request(
+                       [
+                               'server' => [
+                                       'REMOTE_ADDR' => '192.168.2.99',
+                                       'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
+                               ],
+                       ],
+                       $this->secureRandom,
+                       $this->config,
+                       $this->csrfTokenManager,
+                       $this->stream
+               );
+
+               $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
+       }
+
        /**
         * @return array
         */