Normalize IPv6 addresses in XFF chains

author Max Semenik <maxsem.wiki@gmail.com>

Tue, 30 Jul 2013 22:45:48 +0000 (02:45 +0400)

committer Max Semenik <maxsem.wiki@gmail.com>

Thu, 29 Aug 2013 20:55:38 +0000 (00:55 +0400)
author Max Semenik <maxsem.wiki@gmail.com>
Tue, 30 Jul 2013 22:45:48 +0000 (02:45 +0400)
committer Max Semenik <maxsem.wiki@gmail.com>
Thu, 29 Aug 2013 20:55:38 +0000 (00:55 +0400)
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22

index f0490d4..ee492c4 100644 (file)
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -206,6 +206,8 @@ production.
    they have ever uploaded, even if it was subsequently overriden.
  * Introduced Special:MyFiles and Special:AllMyFiles as an alias for Special:MyUploads
    and Special:AllMyUploads respectively.
+* IPv6 addresses in X-Forwarded-For headers are now normalised before checking
+  against allowed proxy lists.
  
  === Bug fixes in 1.22 ===
  * Disable Special:PasswordReset when $wgEnableEmail is false. Previously one
diff --git a/includes/WebRequest.php b/includes/WebRequest.php

index 80881c9..55bddfc 100644 (file)
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1141,7 +1141,7 @@ HTML;
                         # unless the address is not sensible (e.g. private). However, prefer private
                         # IP addresses over proxy servers controlled by this site (more sensible).
                         foreach ( $ipchain as $i => $curIP ) {
-                               $curIP = IP::canonicalize( $curIP );
+                               $curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) );
                                 if ( wfIsTrustedProxy( $curIP ) && isset( $ipchain[$i + 1] ) ) {
                                         if ( wfIsConfiguredProxy( $curIP ) || // bug 48919
                                                 ( IP::isPublic( $ipchain[$i + 1] ) || $wgUsePrivateIPs )
diff --git a/tests/phpunit/includes/WebRequestTest.php b/tests/phpunit/includes/WebRequestTest.php

index 1c6b733..4f5322e 100644 (file)
--- a/tests/phpunit/includes/WebRequestTest.php
+++ b/tests/phpunit/includes/WebRequestTest.php
@@ -1,5 +1,8 @@
  <?php
  
+/**
+ * @group WebRequest
+ */
  class WebRequestTest extends MediaWikiTestCase {
         protected $oldServer;
  
@@ -143,6 +146,17 @@ class WebRequestTest extends MediaWikiTestCase {
                                 false,
                                 'Simple IPv6'
                         ),
+                       array(
+                               '12.0.0.1',
+                               array(
+                                       'REMOTE_ADDR' => 'abcd:0001:002:03:4:555:6666:7777',
+                                       'HTTP_X_FORWARDED_FOR' => '12.0.0.1, abcd:0001:002:03:4:555:6666:7777',
+                               ),
+                               array( 'ABCD:1:2:3:4:555:6666:7777' ),
+                               array(),
+                               false,
+                               'IPv6 normalisation'
+                       ),
                         array(
                                 '12.0.0.3',
                                 array(
author	Max Semenik <maxsem.wiki@gmail.com>
	Tue, 30 Jul 2013 22:45:48 +0000 (02:45 +0400)
committer	Max Semenik <maxsem.wiki@gmail.com>
	Thu, 29 Aug 2013 20:55:38 +0000 (00:55 +0400)
RELEASE-NOTES-1.22		patch \| blob \| history
includes/WebRequest.php		patch \| blob \| history
tests/phpunit/includes/WebRequestTest.php		patch \| blob \| history