diff options
author | Vincent Petry <vincent@nextcloud.com> | 2022-09-22 17:32:22 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-22 17:32:22 +0200 |
commit | 42bc4a0b2a481609f804bcef69ddb21121da97f7 (patch) | |
tree | 83d49b55cad9caccaa692003e89c5b4577943a85 | |
parent | 9366ec0fb8aba7a42887f6acfad85243995c9a12 (diff) | |
parent | 205760a3aa79c8aa9cc8ca6a70a8bf35cf2292a8 (diff) | |
download | nextcloud-server-42bc4a0b2a481609f804bcef69ddb21121da97f7.tar.gz nextcloud-server-42bc4a0b2a481609f804bcef69ddb21121da97f7.zip |
Merge pull request #34195 from nextcloud/backport/34160/stable25
[stable25] Detect weird local ips
m--------- | 3rdparty | 0 | ||||
-rw-r--r-- | build/stubs/intl.php | 4 | ||||
-rw-r--r-- | lib/private/Http/Client/DnsPinMiddleware.php | 2 | ||||
-rw-r--r-- | lib/private/Http/Client/LocalAddressChecker.php | 33 | ||||
-rw-r--r-- | tests/lib/Http/Client/ClientTest.php | 1 | ||||
-rw-r--r-- | tests/lib/Http/Client/LocalAddressCheckerTest.php | 23 |
6 files changed, 44 insertions, 19 deletions
diff --git a/3rdparty b/3rdparty -Subproject f143482ffb0b8dfdbc08cd848ce2e66f02a5d9b +Subproject 3095d4062823f3f913d594f9ff313010ed55cd7 diff --git a/build/stubs/intl.php b/build/stubs/intl.php index 201db9a33f4..08e0c719338 100644 --- a/build/stubs/intl.php +++ b/build/stubs/intl.php @@ -4622,7 +4622,7 @@ function idn_to_ascii($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003, * @param int $variant [optional] <p> * Either INTL_IDNA_VARIANT_2003 for IDNA 2003 or INTL_IDNA_VARIANT_UTS46 for UTS #46. * </p> - * @param int &$idna_info [optional] <p> + * @param array &$idna_info [optional] <p> * This parameter can be used only if INTL_IDNA_VARIANT_UTS46 was used for variant. * In that case, it will be filled with an array with the keys 'result', * the possibly illegal result of the transformation, 'isTransitionalDifferent', @@ -4634,7 +4634,7 @@ function idn_to_ascii($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003, * RFC 3490 4.2 states though "ToUnicode never fails. If any step fails, then the original input * sequence is returned immediately in that step." */ -function idn_to_utf8($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003, array &$idna_info) { } +function idn_to_utf8($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003, array &$idna_info = null) { } /** * (PHP 5 >=5.5.0 PECL intl >= 3.0.0a1)<br/> diff --git a/lib/private/Http/Client/DnsPinMiddleware.php b/lib/private/Http/Client/DnsPinMiddleware.php index ee0ea053dcf..f5e6214a4ab 100644 --- a/lib/private/Http/Client/DnsPinMiddleware.php +++ b/lib/private/Http/Client/DnsPinMiddleware.php @@ -125,7 +125,7 @@ class DnsPinMiddleware { $ports[] = (string)$port; } - $targetIps = $this->dnsResolve($hostName, 0); + $targetIps = $this->dnsResolve(idn_to_utf8($hostName), 0); $curlResolves = []; diff --git a/lib/private/Http/Client/LocalAddressChecker.php b/lib/private/Http/Client/LocalAddressChecker.php index f4fea503ab9..13a7d062de3 100644 --- a/lib/private/Http/Client/LocalAddressChecker.php +++ b/lib/private/Http/Client/LocalAddressChecker.php @@ -25,6 +25,9 @@ declare(strict_types=1); */ namespace OC\Http\Client; +use IPLib\Address\IPv6; +use IPLib\Factory; +use IPLib\ParseStringFlag; use OCP\Http\Client\LocalServerException; use Psr\Log\LoggerInterface; use Symfony\Component\HttpFoundation\IpUtils; @@ -37,6 +40,21 @@ class LocalAddressChecker { } public function ThrowIfLocalIp(string $ip) : void { + $parsedIp = Factory::parseAddressString( + $ip, + ParseStringFlag::IPV4_MAYBE_NON_DECIMAL | ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED + ); + if ($parsedIp === null) { + /* Not an IP */ + return; + } + /* Replace by normalized form */ + if ($parsedIp instanceof IPv6) { + $ip = (string)($parsedIp->toIPv4() ?? $parsedIp); + } else { + $ip = (string)$parsedIp; + } + $localRanges = [ '100.64.0.0/10', // See RFC 6598 '192.0.0.0/24', // See RFC 6890 @@ -50,19 +68,6 @@ class LocalAddressChecker { $this->logger->warning("Host $ip was not connected to because it violates local access rules"); throw new LocalServerException('Host violates local access rules'); } - - // Also check for IPv6 IPv4 nesting, because that's not covered by filter_var - if ((bool)filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) && substr_count($ip, '.') > 0) { - $delimiter = strrpos($ip, ':'); // Get last colon - $ipv4Address = substr($ip, $delimiter + 1); - - if ( - !filter_var($ipv4Address, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) || - IpUtils::checkIp($ip, $localRanges)) { - $this->logger->warning("Host $ip was not connected to because it violates local access rules"); - throw new LocalServerException('Host violates local access rules'); - } - } } public function ThrowIfLocalAddress(string $uri) : void { @@ -72,7 +77,7 @@ class LocalAddressChecker { throw new LocalServerException('Could not detect any host'); } - $host = strtolower($host); + $host = idn_to_utf8(strtolower(urldecode($host))); // Remove brackets from IPv6 addresses if (strpos($host, '[') === 0 && substr($host, -1) === ']') { $host = substr($host, 1, -1); diff --git a/tests/lib/Http/Client/ClientTest.php b/tests/lib/Http/Client/ClientTest.php index 141c6190cd9..25d4749df57 100644 --- a/tests/lib/Http/Client/ClientTest.php +++ b/tests/lib/Http/Client/ClientTest.php @@ -161,6 +161,7 @@ class ClientTest extends \Test\TestCase { ['another-host.local'], ['service.localhost'], ['!@#$'], // test invalid url + ['normal.host.com'], ]; } diff --git a/tests/lib/Http/Client/LocalAddressCheckerTest.php b/tests/lib/Http/Client/LocalAddressCheckerTest.php index 9f2f6c72993..8c8e64eddf9 100644 --- a/tests/lib/Http/Client/LocalAddressCheckerTest.php +++ b/tests/lib/Http/Client/LocalAddressCheckerTest.php @@ -91,7 +91,7 @@ class LocalAddressCheckerTest extends \Test\TestCase { return [ ['192.168.0.1'], ['fe80::200:5aee:feaa:20a2'], - ['0:0:0:0:0:0:10.0.0.1'], + ['0:0:0:0:0:ffff:10.0.0.1'], ['0:0:0:0:0:ffff:127.0.0.0'], ['10.0.0.1'], ['::'], @@ -112,7 +112,7 @@ class LocalAddressCheckerTest extends \Test\TestCase { ['172.16.42.1'], ['[fdf8:f53b:82e4::53]/secret.ics'], ['[fe80::200:5aee:feaa:20a2]/secret.ics'], - ['[0:0:0:0:0:0:10.0.0.1]/secret.ics'], + ['[0:0:0:0:0:ffff:10.0.0.1]/secret.ics'], ['[0:0:0:0:0:ffff:127.0.0.0]/secret.ics'], ['10.0.0.1'], ['another-host.local'], @@ -121,6 +121,25 @@ class LocalAddressCheckerTest extends \Test\TestCase { ['100.100.100.200'], ['192.0.0.1'], ['randomdomain.internal'], + ['0177.0.0.9'], + ['⑯⑨。②⑤④。⑯⑨。②⑤④'], + ['127。②⑤④。⑯⑨.②⑤④'], + ['127.0.00000000000000000000000000000000001'], + ['127.1'], + ['127.000.001'], + ['0177.0.0.01'], + ['0x7f.0x0.0x0.0x1'], + ['0x7f000001'], + ['2130706433'], + ['00000000000000000000000000000000000000000000000000177.1'], + ['0x7f.1'], + ['127.0x1'], + ['[0000:0000:0000:0000:0000:0000:0000:0001]'], + ['[0:0:0:0:0:0:0:1]'], + ['[0:0:0:0::0:0:1]'], + ['%31%32%37%2E%30%2E%30%2E%31'], + ['%31%32%37%2E%30%2E%30.%31'], + ['[%3A%3A%31]'], ]; } |