TYPO3 Core

Hi Markus, yes that is what I mean "With a protocol switch you mean switching from v4 to v6". I do alredy disable IP-Lock witch is working fine.

My Issue is an hint if some one doese not disable IP-Lock an warning is thrown witch is in an good server setup an error. By changing the code no warning appiers but you are right user will still be locked out. Thx

If I understand you correctly, I can close this ticket, right?

yes and no

point is this code doese not work well on default setting iplock = on:

$ipToCompare = $this->isIpv6Address($sessionIpLock)
? $this->getIpLockPartForIpv6Address($ipAddress)
: $this->getIpLockPartForIpv4Address($ipAddress);
return $ipToCompare === $sessionIpLock;
}

if ip swichtes the condition checking choosing the normalizer checks on $sessionIpLock but then the $ipAddress is send to the methoed. If for example session is locked witch ip4 and then connection is swicht to ipv6 $this->getIpLockPartForIpv4Address tryes to prosess an ipv6 witch triggerd an warning in most context this throws an php error.

I see three options:

1. accept it and update documentation to do not use iplock in mixed ip stack
2. make some more checks in getIpLockPartFor Ipv4Address getIpLockPartFor Ipv6 Address so that no wornings are thrown if ip stack is swicht
3. Use my code above (my is has security impact)
4.

My favorite one is the throw a special exception if ipLook is on and and ip stack change is detected

like:

if($this->isIpv6Address($sessionIpLock) !== $this->isIpv6Address($ipAddress)) {
            throw new \Exception('You are using both ip stacks ipv6 and ipv4 ip lock does not work please disable it in the install tool');
        }

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63001

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62975