Skip to content

[HttpFoundation] IPv4-mapped IPv6 addresses incorrectly rejected #48420

Closed
@bonroyage

Description

@bonroyage

Symfony version(s) affected

6.1.8

Description

IPv4 to IPv6 mapped addresses are incorrectly rejected by the checkIp6 function, because of the check for dots added in #48050. For example, Azure Frontdoor makes requests where the IP address is listed as ::ffff:147.243.231.120. This broke my Laravel installation because suddenly these requests were blocked by the TrustProxies middleware

How to reproduce

In 6.1.7:

\Symfony\Component\HttpFoundation\IpUtils::checkIp6('::ffff:147.243.231.120', '::ffff:147.243.0.0/16')
// true

In 6.1.8:

\Symfony\Component\HttpFoundation\IpUtils::checkIp6('::ffff:147.243.231.120', '::ffff:147.243.0.0/16')
// false

Possible Solution

Remove the check for dots, because pure IPv4 are rejected by the filter_var function when the IPv6 flag is added

filter_var("10.0.0.1", \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)
// false

While those in IPv6 notation are allowed

filter_var("::ffff:10.0.0.1", \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)
// "::ffff:10.0.0.1"

But to also check that the $ip is valid IPv6, check that it is valid with the filter_var function

Additional Context

In RFC-4291, dots are allowed in IPv6 addresses

2.2. Text Representation of Addresses

3. An alternative form that is sometimes more convenient when dealing
      with a mixed environment of IPv4 and IPv6 nodes is
      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
      the six high-order 16-bit pieces of the address, and the 'd's are
      the decimal values of the four low-order 8-bit pieces of the
      address (standard IPv4 representation).  Examples:

         0:0:0:0:0:0:13.1.68.3

         0:0:0:0:0:FFFF:129.144.52.38

      or in compressed form:

         ::13.1.68.3

         ::FFFF:129.144.52.38

2.5.5.2. IPv4-Mapped IPv6 Address

   A second type of IPv6 address that holds an embedded IPv4 address is
   defined.  This address type is used to represent the addresses of
   IPv4 nodes as IPv6 addresses.  The format of the "IPv4-mapped IPv6
   address" is as follows:

   |                80 bits               | 16 |      32 bits        |
   +--------------------------------------+--------------------------+
   |0000..............................0000|FFFF|    IPv4 address     |
   +--------------------------------------+----+---------------------+

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions