update filter_var filters for ipv4 addresses to reflect rfc6890

[zghosts]

Looking into to bug#71745 reporting that the whole 127.0.0.0/8 should be caught by the FILTER_FLAG_NO_RES_RANGE filter I found the filter doesn't take all currently reserved ranges into account.
This pullrequest adds all the ranges defined in rfc6890 to the FILTER_FLAG_NO_RES_RANGE, this also means the private ranges have been added to the NO_RES_RANGE flag as they are technically also reserved.

In addition to this I added the 169.254 range to the FILTER_FLAG_NO_PRIV_RANGE flag as this is used for link_local in ipv4 effectively making it a private network.

I'm not sure it it should be added to 5.6 as it might introduce a bc break, but 7.1 or even 7.0 might be elligable.

[Fleshgrinder]

Would be nice if the PHP manual is updated as well in case this gets merged.

[zghosts]

I fully agree, if it gets merged I'm willing to update the manual accordingly so it reflects the changes in this pr.

[Majkl578]

I already opened PR #1794 for 127.0.0.0/8 almost 4 months ago with no response at all.

[Fleshgrinder]

I do not know who can help, maybe @nikic or @sgolemon know?

[jpauli]

Merged

[Majkl578]

Cool, I suppose we can expect this in 7.0.10 (or maybe even 7.0.9?), correct? 👍 @jpauli @weltling
I encountered this bug while using Symfony/Validator component which uses filter_var internally, so I'm basically waiting for this fix ever since. :)

[jpauli]

Merged against 5.6 and up

[kemo]

This also adds 192.168.0.0/16 into the reserved range? This should at least be mentioned in the documentation as it will break many tests that relied on the documentation for FILTER_FLAG_NO_RES_RANGE and it's a minor version change:

Fails validation for the following reserved IPv4 ranges: 
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24 and 224.0.0.0/4. 
This flag does not apply to IPv6 addresses.

Code: https://3v4l.org/kkYAF

var_dump(filter_var('192.168.0.1', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE));
var_dump(filter_var('192.168.255.255', FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE));

Output for 5.6.25, 7.0.10, 7.1.0beta1 - 7.1.0beta3
bool(false)
bool(false)
Output for 5.6.0 - 5.6.24, hhvm-3.10.0 - 3.12.0, 7.0.0 - 7.0.9, 7.1.0alpha1 - 7.1.0alpha3
string(11) "192.168.0.1"
string(15) "192.168.255.255"

[enov]

With this change, it is becoming harder write validations for IPs that allow private ones as well.

This simple function:

function ip($ip, $allow_private = TRUE)
{
    // Do not allow reserved addresses
    $flags = FILTER_FLAG_NO_RES_RANGE;
    if ($allow_private === FALSE)
    {
        // Do not allow private or reserved addresses
        $flags = $flags | FILTER_FLAG_NO_PRIV_RANGE;
    }

    return (bool) filter_var($ip, FILTER_VALIDATE_IP, $flags);
}

will become:

function ip($ip, $allow_private = TRUE)
{
    // FILTER_FLAG_NO_RES_RANGE includes FILTER_FLAG_NO_PRIV_RANGE
    $is_valid_public_ip = (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE);
    if ( ! $allow_private)
    {
        return $is_valid_public_ip;
    }
    // at this point we are allowing private IPs as well
    return (
        $is_valid_public_ip OR (
            (bool) filter_var($ip, FILTER_VALIDATE_IP) AND // is a valid IP
            ! (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE) // but it is private
        )
    );
}

[enov]

Also, FILTER_FLAG_NO_RES_RANGE constant value should reflect the idea that no_res_range includes no_priv_range

FILTER_FLAG_NO_RES_RANGE* = FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE

[jpauli]

Fixing as of #2113