diff options
| author | Simon Leiner <simon@leiner.me> | 2022-07-23 23:29:45 +0200 |
|---|---|---|
| committer | Simon Leiner <simon@leiner.me> | 2022-08-02 17:36:47 +0200 |
| commit | 09362eaeaa24e4458b5e52c1099759484b1a528d (patch) | |
| tree | 7c419cfbe31c5acf86edbeb5fa384ce75f17d51f /lib | |
| parent | 9475cc02b218f7cab402ec0b2b370ed6c68650c1 (diff) | |
| download | nextcloud-server-09362eaeaa24e4458b5e52c1099759484b1a528d.tar.gz nextcloud-server-09362eaeaa24e4458b5e52c1099759484b1a528d.zip | |
Support specifying IPv6 proxies in CIDR notation
Previously, it was not possible to use CIDR notation for IPv6 proxies
in the trusted_proxies parameter of config.php [1]. This patch adds
support for that.
[1]: https://docs.nextcloud.com/server/24/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies
Signed-off-by: Simon Leiner <simon@leiner.me>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/AppFramework/Http/Request.php | 33 |
1 files changed, 3 insertions, 30 deletions
diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php index 35cd46bf68a..496a845dd4a 100644 --- a/lib/private/AppFramework/Http/Request.php +++ b/lib/private/AppFramework/Http/Request.php @@ -25,6 +25,7 @@ declare(strict_types=1); * @author Thomas Müller <thomas.mueller@tmit.eu> * @author Thomas Tanghus <thomas@tanghus.net> * @author Vincent Petry <vincent@nextcloud.com> + * @author Simon Leiner <simon@leiner.me> * * @license AGPL-3.0 * @@ -50,6 +51,7 @@ use OCP\IConfig; use OCP\IRequest; use OCP\IRequestId; use OCP\Security\ICrypto; +use Symfony\Component\HttpFoundation\IpUtils; /** * Class for accessing variables in the request. @@ -573,41 +575,12 @@ class Request implements \ArrayAccess, \Countable, IRequest { } /** - * Checks if given $remoteAddress matches given $trustedProxy. - * If $trustedProxy is an IPv4 IP range given in CIDR notation, true will be returned if - * $remoteAddress is an IPv4 address within that IP range. - * Otherwise $remoteAddress will be compared to $trustedProxy literally and the result - * will be returned. - * @return boolean true if $remoteAddress matches $trustedProxy, false otherwise - */ - protected function matchesTrustedProxy($trustedProxy, $remoteAddress) { - $cidrre = '/^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\/([0-9]{1,2})$/'; - - if (preg_match($cidrre, $trustedProxy, $match)) { - $net = $match[1]; - $shiftbits = min(32, max(0, 32 - intval($match[2]))); - $netnum = ip2long($net) >> $shiftbits; - $ipnum = ip2long($remoteAddress) >> $shiftbits; - - return $ipnum === $netnum; - } - - return $trustedProxy === $remoteAddress; - } - - /** * Checks if given $remoteAddress matches any entry in the given array $trustedProxies. * For details regarding what "match" means, refer to `matchesTrustedProxy`. * @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise */ protected function isTrustedProxy($trustedProxies, $remoteAddress) { - foreach ($trustedProxies as $tp) { - if ($this->matchesTrustedProxy($tp, $remoteAddress)) { - return true; - } - } - - return false; + return IpUtils::checkIp($remoteAddress, $trustedProxies); } /** |