Skip to content

[HttpFoundation][FrameworkBundle] Add CIDR notation support in trusted proxy list #7735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 20, 2013
Merged

[HttpFoundation][FrameworkBundle] Add CIDR notation support in trusted proxy list #7735

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ddc9e38
Modify Request::getClientIp() to use IpUtils::checkIp()
lazyhammer Mar 8, 2013
811434f
Allow setting trusted_proxies using CIDR notation
lazyhammer Mar 8, 2013
1695067
[HttpFoundation] added some unit tests for ranges of trusted IP addre…
fabpot Apr 20, 2013
e7c1696
[HttpFoundation] refactored code to avoid code duplication
fabpot Apr 20, 2013
7b32794
[HttpFoundation] updated CHANGELOG
fabpot Apr 20, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,21 @@ public function getConfigTreeBuilder()
->end()
->prototype('scalar')
->validate()
->ifTrue(function($v) { return !empty($v) && !filter_var($v, FILTER_VALIDATE_IP); })
->ifTrue(function($v) {
if (empty($v)) {
return false;
}

if (false !== strpos($v, '/')) {
list($v, $mask) = explode('/', $v, 2);

if (strcmp($mask, (int) $mask) || $mask < 1 || $mask > (false !== strpos($v, ':') ? 128 : 32)) {
return true;
}
}

return !filter_var($v, FILTER_VALIDATE_IP);
})
->thenInvalid('Invalid proxy IP "%s"')
->end()
->end()
Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ public function getTestValidTrustedProxiesData()
array(null, array()),
array(false, array()),
array(array(), array()),
array(array('10.0.0.0/8'), array('10.0.0.0/8')),
array(array('::ffff:0:0/96'), array('::ffff:0:0/96')),
);
}

Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Component/HttpFoundation/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ CHANGELOG
=========

2.3.0
-----

* added support for ranges of IPs in trusted proxies
* `UploadedFile::isValid` now returns false if the file was not uploaded via HTTP (in a non-test mode)

2.2.0
Expand Down
20 changes: 14 additions & 6 deletions src/Symfony/Component/HttpFoundation/IpUtils.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,26 @@ private function __construct() {}
/**
* Validates an IPv4 or IPv6 address.
*
* @param string $requestIp
* @param string $ip
* @param string $requestIp
* @param string|array $ips
*
* @return boolean Whether the IP is valid
*/
public static function checkIp($requestIp, $ip)
public static function checkIp($requestIp, $ips)
{
if (false !== strpos($requestIp, ':')) {
return self::checkIp6($requestIp, $ip);
if (!is_array($ips)) {
$ips = array($ips);
}

$method = false !== strpos($requestIp, ':') ? 'checkIp6': 'checkIp4';

foreach ($ips as $ip) {
if (self::$method($requestIp, $ip)) {
return true;
}
}

return self::checkIp4($requestIp, $ip);
return false;
}

/**
Expand Down
9 changes: 8 additions & 1 deletion src/Symfony/Component/HttpFoundation/Request.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -688,7 +688,14 @@ public function getClientIps()

$trustedProxies = !self::$trustedProxies ? array($ip) : self::$trustedProxies;
$ip = $clientIps[0];
$clientIps = array_values(array_diff($clientIps, $trustedProxies));

foreach ($clientIps as $key => $clientIp) {
if (IpUtils::checkIp($clientIp, $trustedProxies)) {
unset($clientIps[$key]);

continue;
}
}

return $clientIps ? array_reverse($clientIps) : array($ip);
}
Expand Down
6 changes: 2 additions & 4 deletions src/Symfony/Component/HttpFoundation/RequestMatcher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,10 +153,8 @@ public function matches(Request $request)
return false;
}

foreach ($this->ips as $ip) {
if (IpUtils::checkIp($request->getClientIp(), $ip)) {
return true;
}
if (IpUtils::checkIp($request->getClientIp(), $this->ips)) {
return true;
}

// Note to future implementors: add additional checks above the
Expand Down
6 changes: 6 additions & 0 deletions src/Symfony/Component/HttpFoundation/Tests/IpUtilsTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ public function testIpv4Provider()
array(true, '192.168.1.1', '192.168.1.0/24'),
array(false, '192.168.1.1', '1.2.3.4/1'),
array(false, '192.168.1.1', '192.168.1/33'),
array(true, '192.168.1.1', array('1.2.3.4/1', '192.168.1.0/24')),
array(true, '192.168.1.1', array('192.168.1.0/24', '1.2.3.4/1')),
array(false, '192.168.1.1', array('1.2.3.4/1', '4.3.2.1/1')),
);
}

Expand All @@ -54,6 +57,9 @@ public function testIpv6Provider()
array(false, '2a01:198:603:0:396e:4789:8e99:890f', '::1'),
array(true, '0:0:0:0:0:0:0:1', '::1'),
array(false, '0:0:603:0:396e:4789:8e99:0001', '::1'),
array(true, '2a01:198:603:0:396e:4789:8e99:890f', array('::1', '2a01:198:603:0::/65')),
array(true, '2a01:198:603:0:396e:4789:8e99:890f', array('2a01:198:603:0::/65', '::1')),
array(false, '2a01:198:603:0:396e:4789:8e99:890f', array('::1', '1a01:198:603:0::/65')),
);
}

Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -781,11 +781,15 @@ public function testGetClientIpsProvider()
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88', array('127.0.0.1')),
// forwarded for with remote IPv4 and all FF addrs trusted
array(array('88.88.88.88'), '127.0.0.1', '88.88.88.88', array('127.0.0.1', '88.88.88.88')),
// forwarded for with remote IPv4 range trusted
array(array('88.88.88.88'), '123.45.67.89', '88.88.88.88', array('123.45.67.0/24')),

// forwarded for with remote IPv6 addr not trusted
array(array('1620:0:1cfe:face:b00c::3'), '1620:0:1cfe:face:b00c::3', '2620:0:1cfe:face:b00c::3', null),
// forwarded for with remote IPv6 addr trusted
array(array('2620:0:1cfe:face:b00c::3'), '1620:0:1cfe:face:b00c::3', '2620:0:1cfe:face:b00c::3', array('1620:0:1cfe:face:b00c::3')),
// forwarded for with remote IPv6 range trusted
array(array('88.88.88.88'), '2a01:198:603:0:396e:4789:8e99:890f', '88.88.88.88', array('2a01:198:603:0::/65')),

// multiple forwarded for with remote IPv4 addr trusted
array(array('88.88.88.88', '87.65.43.21', '127.0.0.1'), '123.45.67.89', '127.0.0.1, 87.65.43.21, 88.88.88.88', array('123.45.67.89')),
Expand Down
6 changes: 2 additions & 4 deletions src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,8 @@ protected function validateRequest(Request $request)
// does the Request come from a trusted IP?
$trustedIps = array_merge($this->getLocalIpAddresses(), $request->getTrustedProxies());
$remoteAddress = $request->server->get('REMOTE_ADDR');
foreach ($trustedIps as $ip) {
if (IpUtils::checkIp($remoteAddress, $ip)) {
return;
}
if (IpUtils::checkIp($remoteAddress, $trustedIps)) {
return;
}

// is the Request signed?
Expand Down