From cfc0770ad00f86f8b7cc70d1d7419d7f97b5c5e6 Mon Sep 17 00:00:00 2001
From: Max Semenik <maxsem.wiki@gmail.com>
Date: Wed, 31 Jul 2013 02:45:48 +0400
Subject: [PATCH] Normalize IPv6 addresses in XFF chains

Otherwise, we're at proxy's mercy for using the same form of IPs.

Change-Id: I090947958bf699ee6d8a9009c9e4a6d11da23f2c
---
 RELEASE-NOTES-1.22                        |  2 ++
 includes/WebRequest.php                   |  2 +-
 tests/phpunit/includes/WebRequestTest.php | 14 ++++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index f0490d4920..ee492c4574 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -206,6 +206,8 @@ production.
   they have ever uploaded, even if it was subsequently overriden.
 * Introduced Special:MyFiles and Special:AllMyFiles as an alias for Special:MyUploads
   and Special:AllMyUploads respectively.
+* IPv6 addresses in X-Forwarded-For headers are now normalised before checking
+  against allowed proxy lists.
 
 === Bug fixes in 1.22 ===
 * Disable Special:PasswordReset when $wgEnableEmail is false. Previously one
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 80881c977c..55bddfc8f3 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1141,7 +1141,7 @@ HTML;
 			# unless the address is not sensible (e.g. private). However, prefer private
 			# IP addresses over proxy servers controlled by this site (more sensible).
 			foreach ( $ipchain as $i => $curIP ) {
-				$curIP = IP::canonicalize( $curIP );
+				$curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) );
 				if ( wfIsTrustedProxy( $curIP ) && isset( $ipchain[$i + 1] ) ) {
 					if ( wfIsConfiguredProxy( $curIP ) || // bug 48919
 						( IP::isPublic( $ipchain[$i + 1] ) || $wgUsePrivateIPs )
diff --git a/tests/phpunit/includes/WebRequestTest.php b/tests/phpunit/includes/WebRequestTest.php
index 1c6b7336d2..4f5322e8a7 100644
--- a/tests/phpunit/includes/WebRequestTest.php
+++ b/tests/phpunit/includes/WebRequestTest.php
@@ -1,5 +1,8 @@
 <?php
 
+/**
+ * @group WebRequest
+ */
 class WebRequestTest extends MediaWikiTestCase {
 	protected $oldServer;
 
@@ -143,6 +146,17 @@ class WebRequestTest extends MediaWikiTestCase {
 				false,
 				'Simple IPv6'
 			),
+			array(
+				'12.0.0.1',
+				array(
+					'REMOTE_ADDR' => 'abcd:0001:002:03:4:555:6666:7777',
+					'HTTP_X_FORWARDED_FOR' => '12.0.0.1, abcd:0001:002:03:4:555:6666:7777',
+				),
+				array( 'ABCD:1:2:3:4:555:6666:7777' ),
+				array(),
+				false,
+				'IPv6 normalisation'
+			),
 			array(
 				'12.0.0.3',
 				array(
-- 
2.20.1