diff options
| -rw-r--r-- | config/config.sample.php | 10 | ||||
| -rw-r--r-- | lib/private/Security/Normalizer/IpAddress.php | 15 | ||||
| -rw-r--r-- | tests/lib/Security/Normalizer/IpAddressTest.php | 8 |
3 files changed, 25 insertions, 8 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index 54294dfb8b7..dbf42ecf2ee 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -421,6 +421,16 @@ $CONFIG = [ 'ratelimit.protection.enabled' => true, /** + * Size of subnet used to normalize IPv6 + * + * For Brute Force Protection and Rate Limiting, IPv6 are truncated using subnet size. + * It defaults to /56 but you can set it between /32 and /64 + * + * Defaults to ``56`` + */ +'security.ipv6_normalized_subnet_size' => 56, + +/** * By default, WebAuthn is available, but it can be explicitly disabled by admins */ 'auth.webauthn.enabled' => true, diff --git a/lib/private/Security/Normalizer/IpAddress.php b/lib/private/Security/Normalizer/IpAddress.php index 5ba51d8c480..7343ad6faa8 100644 --- a/lib/private/Security/Normalizer/IpAddress.php +++ b/lib/private/Security/Normalizer/IpAddress.php @@ -8,6 +8,8 @@ declare(strict_types=1); */ namespace OC\Security\Normalizer; +use OCP\IConfig; + /** * Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security * relevant contexts in Nextcloud. @@ -24,7 +26,8 @@ class IpAddress { } /** - * Return the given subnet for an IPv6 address (48 first bits) + * Return the given subnet for an IPv6 address + * Rely on security.ipv6_normalized_subnet_size, defaults to 56 */ private function getIPv6Subnet(string $ip): string { if ($ip[0] === '[' && $ip[-1] === ']') { // If IP is with brackets, for example [::1] @@ -35,10 +38,14 @@ class IpAddress { $ip = substr($ip, 0, $pos - 1); } + $config = \OCP\Server::get(IConfig::class); + $maskSize = min(64, $config->getSystemValueInt('security.ipv6_normalized_subnet_size', 56)); + $maskSize = max(32, $maskSize); + $mask = pack('VVP', (1 << 32) - 1, (1 << $maskSize - 32) - 1, 0); + $binary = \inet_pton($ip); - $mask = inet_pton('FFFF:FFFF:FFFF::'); - return inet_ntop($binary & $mask).'/48'; + return inet_ntop($binary & $mask) . '/' . $maskSize; } /** @@ -63,7 +70,7 @@ class IpAddress { /** - * Gets either the /32 (IPv4) or the /48 (IPv6) subnet of an IP address + * Gets either the /32 (IPv4) or the /56 (default for IPv6) subnet of an IP address */ public function getSubnet(): string { if (filter_var($this->ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { diff --git a/tests/lib/Security/Normalizer/IpAddressTest.php b/tests/lib/Security/Normalizer/IpAddressTest.php index 8c00fee9b3c..df398005e8d 100644 --- a/tests/lib/Security/Normalizer/IpAddressTest.php +++ b/tests/lib/Security/Normalizer/IpAddressTest.php @@ -37,19 +37,19 @@ class IpAddressTest extends TestCase { ], [ '2001:0db8:0000:0000:0000:8a2e:0370:7334', - '2001:db8::/48', + '2001:db8::/56', ], [ '2001:db8:3333:4444:5555:6666:7777:8888', - '2001:db8:3333::/48', + '2001:db8:3333:4400::/56', ], [ '::1234:5678', - '::/48', + '::/56', ], [ '[::1]', - '::/48', + '::/56', ], ]; } |