Add CIDR range functionality for SS_TRUSTED_PROXY_IPS #5737
Conversation
|
@brettt89, thanks for your PR! By analyzing the blame information on this pull request, I identified @hafriedlander, @chillu and @halkyon to be potential reviewers |
|
I think we need to reverse this and have an "is this IP in this CIDR range" function - otherwise a big enough range (like 10.0.0.0/8) would end up creating an enormous list. |
|
Can you please update the documentation? Please see https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#request-hostname-forgery for the current docs links. Some phpdoc on the new method would be great too thanks. :) |
|
Also, +1 on what @hafriedlander said; Make it a check rather than an exhaustive allowed value generation. :P |
|
Lot's of examples online how to check IP is in a CIDR declaration (here's one: https://gist.github.com/tott/7684443) |
|
Have made changes as per comments. |
| * @return boolean true if the ip is in this range / false if not. | ||
| */ | ||
| function ip_in_range( $ip, $range ) { | ||
| if ( strpos( $range, '/' ) == false ) { |
There was a problem hiding this comment.
If there's no slash, can't we do a basic comparison?
There was a problem hiding this comment.
Hi @dhensby , What do you mean by Basic Comparison? If there is no slash, it adds /32 onto the end (converts it to CIDR).
There was a problem hiding this comment.
If there's no slash, then it's not a range, it's a single IP, right? so we can do something like: $ip == $range
There was a problem hiding this comment.
Doing a straight comparison will mean that ::1 can be added.
|
My only question now is how we deal with ipv6? Can we get some unit tests, too? |
|
According to googling, there is an option for ipv6. http://stackoverflow.com/questions/7951061/matching-ipv6-address-to-a-cidr-subnet |
|
Yeah, now I just need to figure out how to tie them both together.... Nicely. |
|
@dhensby Where abouts would you put tests for constants? |
|
@brettt89 put them in seperate functions and then call the relevant one depending on whether the IP has As for tests - I don't think we have any method for it :) |
| @@ -104,7 +123,12 @@ function stripslashes_recursively(&$array) { | |||
| if(SS_TRUSTED_PROXY_IPS === '*') { | |||
| $trusted = true; | |||
| } elseif(isset($_SERVER['REMOTE_ADDR'])) { | |||
There was a problem hiding this comment.
I think you should refactor this to an ip_in_any_range() function, then you can add tests of that function.
if(SS_TRUSTED_PROXY_IPS === '*') {
$trusted = true;
} elseif(isset($_SERVER['REMOTE_ADDR'])) {
$trusted = ip_in_any_range($_SERVER['REMOTE_ADDR'], SS_TRUSTED_PROXY_IPS);
}Ensure there is a test for exact match on ::1. Handling of IPv6 subnets wouldn't block merge but it might be nice.
|
I've added some tasks to the top of the PR listing merge blockers and nice to haves. |
|
I believe this is superceded by #6062. If @andrewandante and @dhensby can confirm that is the case, can you close this? |
To do before merge
ip_in_any_range($ipAddress, $rangeList)ip_in_any_range()and/orip_in_range()::1) will work.Nice to have