diff options
| author | Vincent Petry <vincent@nextcloud.com> | 2022-09-22 11:38:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-22 11:38:12 +0200 |
| commit | 2f15e83d7beea8df2f03eeb66c7dee45aed033ee (patch) | |
| tree | b7e4e5401305ebaef74deb78511a33746546509b /lib | |
| parent | 938bc57f6dd0d4e6f152692926856263dacc06dd (diff) | |
| parent | 75328593ad06cea7b3b0331dec999e6f5a083ef1 (diff) | |
| download | nextcloud-server-2f15e83d7beea8df2f03eeb66c7dee45aed033ee.tar.gz nextcloud-server-2f15e83d7beea8df2f03eeb66c7dee45aed033ee.zip | |
Merge pull request #34160 from nextcloud/fix/detect-weird-local-ips
Detect weird local ips
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Http/Client/DnsPinMiddleware.php | 2 | ||||
| -rw-r--r-- | lib/private/Http/Client/LocalAddressChecker.php | 33 |
2 files changed, 20 insertions, 15 deletions
diff --git a/lib/private/Http/Client/DnsPinMiddleware.php b/lib/private/Http/Client/DnsPinMiddleware.php index ee0ea053dcf..f5e6214a4ab 100644 --- a/lib/private/Http/Client/DnsPinMiddleware.php +++ b/lib/private/Http/Client/DnsPinMiddleware.php @@ -125,7 +125,7 @@ class DnsPinMiddleware { $ports[] = (string)$port; } - $targetIps = $this->dnsResolve($hostName, 0); + $targetIps = $this->dnsResolve(idn_to_utf8($hostName), 0); $curlResolves = []; diff --git a/lib/private/Http/Client/LocalAddressChecker.php b/lib/private/Http/Client/LocalAddressChecker.php index f4fea503ab9..13a7d062de3 100644 --- a/lib/private/Http/Client/LocalAddressChecker.php +++ b/lib/private/Http/Client/LocalAddressChecker.php @@ -25,6 +25,9 @@ declare(strict_types=1); */ namespace OC\Http\Client; +use IPLib\Address\IPv6; +use IPLib\Factory; +use IPLib\ParseStringFlag; use OCP\Http\Client\LocalServerException; use Psr\Log\LoggerInterface; use Symfony\Component\HttpFoundation\IpUtils; @@ -37,6 +40,21 @@ class LocalAddressChecker { } public function ThrowIfLocalIp(string $ip) : void { + $parsedIp = Factory::parseAddressString( + $ip, + ParseStringFlag::IPV4_MAYBE_NON_DECIMAL | ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED + ); + if ($parsedIp === null) { + /* Not an IP */ + return; + } + /* Replace by normalized form */ + if ($parsedIp instanceof IPv6) { + $ip = (string)($parsedIp->toIPv4() ?? $parsedIp); + } else { + $ip = (string)$parsedIp; + } + $localRanges = [ '100.64.0.0/10', // See RFC 6598 '192.0.0.0/24', // See RFC 6890 @@ -50,19 +68,6 @@ class LocalAddressChecker { $this->logger->warning("Host $ip was not connected to because it violates local access rules"); throw new LocalServerException('Host violates local access rules'); } - - // Also check for IPv6 IPv4 nesting, because that's not covered by filter_var - if ((bool)filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) && substr_count($ip, '.') > 0) { - $delimiter = strrpos($ip, ':'); // Get last colon - $ipv4Address = substr($ip, $delimiter + 1); - - if ( - !filter_var($ipv4Address, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) || - IpUtils::checkIp($ip, $localRanges)) { - $this->logger->warning("Host $ip was not connected to because it violates local access rules"); - throw new LocalServerException('Host violates local access rules'); - } - } } public function ThrowIfLocalAddress(string $uri) : void { @@ -72,7 +77,7 @@ class LocalAddressChecker { throw new LocalServerException('Could not detect any host'); } - $host = strtolower($host); + $host = idn_to_utf8(strtolower(urldecode($host))); // Remove brackets from IPv6 addresses if (strpos($host, '[') === 0 && substr($host, -1) === ']') { $host = substr($host, 1, -1); |