]> source.dussan.org Git - nextcloud-server.git/commitdiff
Use Symfony IpUtils to check for local IP ranges 33031/head
authorCôme Chilliet <come.chilliet@nextcloud.com>
Tue, 12 Jul 2022 10:09:05 +0000 (12:09 +0200)
committerCôme Chilliet <come.chilliet@nextcloud.com>
Tue, 12 Jul 2022 10:09:05 +0000 (12:09 +0200)
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
lib/private/Http/Client/LocalAddressChecker.php
tests/lib/Http/Client/LocalAddressCheckerTest.php

index b0c420a4fe8cae41524fbaaa2a65794daa99877d..f4fea503ab9d5b11851cfea798b82c7f74d807f6 100644 (file)
@@ -27,6 +27,7 @@ namespace OC\Http\Client;
 
 use OCP\Http\Client\LocalServerException;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\IpUtils;
 
 class LocalAddressChecker {
        private LoggerInterface $logger;
@@ -36,12 +37,15 @@ class LocalAddressChecker {
        }
 
        public function ThrowIfLocalIp(string $ip) : void {
-               $localIps = ['100.100.100.200'];
+               $localRanges = [
+                       '100.64.0.0/10', // See RFC 6598
+                       '192.0.0.0/24', // See RFC 6890
+               ];
                if (
                        (bool)filter_var($ip, FILTER_VALIDATE_IP) &&
                        (
                                !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) ||
-                               in_array($ip, $localIps, true)
+                               IpUtils::checkIp($ip, $localRanges)
                        )) {
                        $this->logger->warning("Host $ip was not connected to because it violates local access rules");
                        throw new LocalServerException('Host violates local access rules');
@@ -54,7 +58,7 @@ class LocalAddressChecker {
 
                        if (
                                !filter_var($ipv4Address, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) ||
-                               in_array($ipv4Address, $localIps, true)) {
+                               IpUtils::checkIp($ip, $localRanges)) {
                                $this->logger->warning("Host $ip was not connected to because it violates local access rules");
                                throw new LocalServerException('Host violates local access rules');
                        }
index 0bba1cee5f4a24abd93abe7a8ccdcd22ce28a96e..9f2f6c72993e3cd7f29f54f703271b789009c987 100644 (file)
@@ -96,6 +96,8 @@ class LocalAddressCheckerTest extends \Test\TestCase {
                        ['10.0.0.1'],
                        ['::'],
                        ['::1'],
+                       ['100.100.100.200'],
+                       ['192.0.0.1'],
                ];
        }
 
@@ -116,6 +118,9 @@ class LocalAddressCheckerTest extends \Test\TestCase {
                        ['another-host.local'],
                        ['service.localhost'],
                        ['!@#$'], // test invalid url
+                       ['100.100.100.200'],
+                       ['192.0.0.1'],
+                       ['randomdomain.internal'],
                ];
        }