Bug #63283
closed
cmpIPv6 does not work with subnets
0%
Description
We're relying on the IPv4 implementation of t3lib_div::cmpIP() in an extension to check access based on the request IP. This works fine for single IP addresses as for whole subnets, see example:
$validIpv4Addresses = '192.168.99.100,192.168.100.0/24';
$result = t3lib_div::cmpIP('192.168.100.42', $validIpV4Addresses);
=> $result == TRUE (matches the subnet)
The documentation of the cmpIP() method sounds like the same is/should be possible for IPv6 addresses and subnets, too. But it doesn't work as expected, at least not if you want to check against a whole subnet.
$validIpv6Addresses = '2001:67c:690:302/64';
$result = t3lib_div::cmpIP('2001:67c:690:302::100', $validIpV6Addresses);
=> $result == FALSE (the IPv6-address-string with the subnet does not pass t3lib_div::validIPv6() method call)
When looking at the code within cmpIPv6() it looks like whole subnets would be taken into account. But as the string '2001:67c:690:302/64' is not treated as a valid IPv6 address in validIPv6(), the whole further checking / address expansion of the subnet are not executed at all.
I think this should be changed to work similar to the variant in IPv4.
Updated by Andreas Wolf almost 10 years ago
- Category set to Backend API
- Status changed from New to Rejected
This is not a bug, the subnet mask is missing the trailing "::" – when using $validIpv6Addresses = '2001:67c:690:302::/64', it works as intended. The originally used mask is not valid per IPv6 specificatiions.
Nevertheless this is an error that is probably made more often by users, e.g. when truncating a copied address. Therefore, we could at least have a unit test to make this behaviour more explicit, an additional debug log message if such an invalid IPv6 address is encountered.