New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update filter_var filters for ipv4 addresses to reflect rfc6890 #1954
update filter_var filters for ipv4 addresses to reflect rfc6890 #1954
Conversation
Would be nice if the PHP manual is updated as well in case this gets merged. |
I fully agree, if it gets merged I'm willing to update the manual accordingly so it reflects the changes in this pr. |
I already opened PR #1794 for 127.0.0.0/8 almost 4 months ago with no response at all. |
Merged |
Merged against 5.6 and up |
This also adds
Code: https://3v4l.org/kkYAF var_dump(filter_var('192.168.0.1', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE));
var_dump(filter_var('192.168.255.255', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE));
|
With this change, it is becoming harder write validations for IPs that allow private ones as well. function ip($ip, $allow_private = TRUE)
{
// Do not allow reserved addresses
$flags = FILTER_FLAG_NO_RES_RANGE;
if ($allow_private === FALSE)
{
// Do not allow private or reserved addresses
$flags = $flags | FILTER_FLAG_NO_PRIV_RANGE;
}
return (bool) filter_var($ip, FILTER_VALIDATE_IP, $flags);
} will become: function ip($ip, $allow_private = TRUE)
{
// FILTER_FLAG_NO_RES_RANGE includes FILTER_FLAG_NO_PRIV_RANGE
$is_valid_public_ip = (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE);
if ( ! $allow_private)
{
return $is_valid_public_ip;
}
// at this point we are allowing private IPs as well
return (
$is_valid_public_ip OR (
(bool) filter_var($ip, FILTER_VALIDATE_IP) AND // is a valid IP
! (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE) // but it is private
)
);
} |
Also, FILTER_FLAG_NO_RES_RANGE constant value should reflect the idea that FILTER_FLAG_NO_RES_RANGE* = FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE |
Fixing as of #2113 |
PHP 5.6.25, 5.6.26, 7.0.10, 7.0.11 include backward incompatible bugfixes which later were reverted in the minor versions that followed. See php/php-src#1954
Looking into to bug#71745 reporting that the whole 127.0.0.0/8 should be caught by the FILTER_FLAG_NO_RES_RANGE filter I found the filter doesn't take all currently reserved ranges into account.
This pullrequest adds all the ranges defined in rfc6890 to the FILTER_FLAG_NO_RES_RANGE, this also means the private ranges have been added to the NO_RES_RANGE flag as they are technically also reserved.
In addition to this I added the 169.254 range to the FILTER_FLAG_NO_PRIV_RANGE flag as this is used for link_local in ipv4 effectively making it a private network.
I'm not sure it it should be added to 5.6 as it might introduce a bc break, but 7.1 or even 7.0 might be elligable.