New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CIDR range functionality for SS_TRUSTED_PROXY_IPS #5737
Conversation
@brettt89, thanks for your PR! By analyzing the blame information on this pull request, I identified @hafriedlander, @chillu and @halkyon to be potential reviewers |
I think we need to reverse this and have an "is this IP in this CIDR range" function - otherwise a big enough range (like 10.0.0.0/8) would end up creating an enormous list. |
Can you please update the documentation? Please see https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#request-hostname-forgery for the current docs links. Some phpdoc on the new method would be great too thanks. :) |
Also, +1 on what @hafriedlander said; Make it a check rather than an exhaustive allowed value generation. :P |
Lot's of examples online how to check IP is in a CIDR declaration (here's one: https://gist.github.com/tott/7684443) |
Have made changes as per comments. |
* @return boolean true if the ip is in this range / false if not. | ||
*/ | ||
function ip_in_range( $ip, $range ) { | ||
if ( strpos( $range, '/' ) == false ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there's no slash, can't we do a basic comparison?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @dhensby , What do you mean by Basic Comparison? If there is no slash, it adds /32 onto the end (converts it to CIDR).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there's no slash, then it's not a range, it's a single IP, right? so we can do something like: $ip == $range
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing a straight comparison will mean that ::1
can be added.
My only question now is how we deal with ipv6? Can we get some unit tests, too? |
According to googling, there is an option for ipv6. http://stackoverflow.com/questions/7951061/matching-ipv6-address-to-a-cidr-subnet |
Yeah, now I just need to figure out how to tie them both together.... Nicely. |
@dhensby Where abouts would you put tests for constants? |
@brettt89 put them in seperate functions and then call the relevant one depending on whether the IP has As for tests - I don't think we have any method for it :) |
@@ -104,7 +123,12 @@ function stripslashes_recursively(&$array) { | |||
if(SS_TRUSTED_PROXY_IPS === '*') { | |||
$trusted = true; | |||
} elseif(isset($_SERVER['REMOTE_ADDR'])) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should refactor this to an ip_in_any_range()
function, then you can add tests of that function.
if(SS_TRUSTED_PROXY_IPS === '*') {
$trusted = true;
} elseif(isset($_SERVER['REMOTE_ADDR'])) {
$trusted = ip_in_any_range($_SERVER['REMOTE_ADDR'], SS_TRUSTED_PROXY_IPS);
}
Ensure there is a test for exact match on ::1
. Handling of IPv6 subnets wouldn't block merge but it might be nice.
I've added some tasks to the top of the PR listing merge blockers and nice to haves. |
I believe this is superceded by #6062. If @andrewandante and @dhensby can confirm that is the case, can you close this? |
To do before merge
ip_in_any_range($ipAddress, $rangeList)
ip_in_any_range()
and/orip_in_range()
::1
) will work.Nice to have