From a471dba6e12e7287da27ac770b63fb1790b59fdf Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 2 Jul 2020 11:05:02 +0200 Subject: [PATCH] Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating Signed-off-by: Joas Schilling --- lib/private/AppFramework/Http/Request.php | 6 +++++ tests/lib/AppFramework/Http/RequestTest.php | 28 +++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php index 12748e0dd6..6428f7116b 100644 --- a/lib/private/AppFramework/Http/Request.php +++ b/lib/private/AppFramework/Http/Request.php @@ -653,6 +653,12 @@ class Request implements \ArrayAccess, \Countable, IRequest { if (isset($this->server[$header])) { foreach (explode(',', $this->server[$header]) as $IP) { $IP = trim($IP); + + // remove brackets from IPv6 addresses + if (strpos($IP, '[') === 0 && substr($IP, -1) === ']') { + $IP = substr($IP, 1, -1); + } + if (filter_var($IP, FILTER_VALIDATE_IP) !== false) { return $IP; } diff --git a/tests/lib/AppFramework/Http/RequestTest.php b/tests/lib/AppFramework/Http/RequestTest.php index a8e2f2248c..7260b31b27 100644 --- a/tests/lib/AppFramework/Http/RequestTest.php +++ b/tests/lib/AppFramework/Http/RequestTest.php @@ -632,6 +632,34 @@ class RequestTest extends \Test\TestCase { $this->assertSame('192.168.3.99', $request->getRemoteAddress()); } + public function testGetRemoteAddressWithXForwardedForIPv6() { + $this->config + ->expects($this->at(0)) + ->method('getSystemValue') + ->with('trusted_proxies') + ->willReturn(['192.168.2.0/24']); + $this->config + ->expects($this->at(1)) + ->method('getSystemValue') + ->with('forwarded_for_headers') + ->willReturn(['HTTP_X_FORWARDED_FOR']); + + $request = new Request( + [ + 'server' => [ + 'REMOTE_ADDR' => '192.168.2.99', + 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]', + ], + ], + $this->secureRandom, + $this->config, + $this->csrfTokenManager, + $this->stream + ); + + $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress()); + } + /** * @return array */