Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating

author Joas Schilling <coding@schilljs.com>

Thu, 2 Jul 2020 09:05:02 +0000 (11:05 +0200)

committer backportbot[bot] <backportbot[bot]@users.noreply.github.com>

Thu, 2 Jul 2020 10:09:45 +0000 (10:09 +0000)
author Joas Schilling <coding@schilljs.com>
Thu, 2 Jul 2020 09:05:02 +0000 (11:05 +0200)
committer backportbot[bot] <backportbot[bot]@users.noreply.github.com>
Thu, 2 Jul 2020 10:09:45 +0000 (10:09 +0000)
diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php

index 3563ce3a2005eed9ef740d1d18123e803e8e9138..e2abf832538df2130c449e13639e759dd9fc1a2d 100644 (file)
--- a/lib/private/AppFramework/Http/Request.php
+++ b/lib/private/AppFramework/Http/Request.php
@@ -659,6 +659,12 @@ class Request implements \ArrayAccess, \Countable, IRequest {
                                 if(isset($this->server[$header])) {
                                         foreach(explode(',', $this->server[$header]) as $IP) {
                                                 $IP = trim($IP);
+
+                                               // remove brackets from IPv6 addresses
+                                               if (strpos($IP, '[') === 0 && substr($IP, -1) === ']') {
+                                                       $IP = substr($IP, 1, -1);
+                                               }
+
                                                 if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
                                                         return $IP;
                                                 }
diff --git a/tests/lib/AppFramework/Http/RequestTest.php b/tests/lib/AppFramework/Http/RequestTest.php

index 56982aaf5117b807197c8b577b7006c9aec6e202..b1542e9d68e8389c9e353d738f55e82dc3ef4c56 100644 (file)
--- a/tests/lib/AppFramework/Http/RequestTest.php
+++ b/tests/lib/AppFramework/Http/RequestTest.php
@@ -634,6 +634,34 @@ class RequestTest extends \Test\TestCase {
                 $this->assertSame('192.168.3.99', $request->getRemoteAddress());
         }
  
+       public function testGetRemoteAddressWithXForwardedForIPv6() {
+               $this->config
+                       ->expects($this->at(0))
+                       ->method('getSystemValue')
+                       ->with('trusted_proxies')
+                       ->willReturn(['192.168.2.0/24']);
+               $this->config
+                       ->expects($this->at(1))
+                       ->method('getSystemValue')
+                       ->with('forwarded_for_headers')
+                       ->willReturn(['HTTP_X_FORWARDED_FOR']);
+
+               $request = new Request(
+                       [
+                               'server' => [
+                                       'REMOTE_ADDR' => '192.168.2.99',
+                                       'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
+                               ],
+                       ],
+                       $this->secureRandom,
+                       $this->config,
+                       $this->csrfTokenManager,
+                       $this->stream
+               );
+
+               $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
+       }
+
         /**
          * @return array
          */
author	Joas Schilling <coding@schilljs.com>
	Thu, 2 Jul 2020 09:05:02 +0000 (11:05 +0200)
committer	backportbot[bot] <backportbot[bot]@users.noreply.github.com>
	Thu, 2 Jul 2020 10:09:45 +0000 (10:09 +0000)
lib/private/AppFramework/Http/Request.php		patch \| blob \| history
tests/lib/AppFramework/Http/RequestTest.php		patch \| blob \| history