From: Max Semenik <maxsem.wiki@gmail.com>
Date: Tue, 30 Jul 2013 22:45:48 +0000 (+0400)
Subject: Normalize IPv6 addresses in XFF chains
X-Git-Tag: 1.31.0-rc.0~18841^2
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/comptes/?a=commitdiff_plain;h=cfc0770ad00f86f8b7cc70d1d7419d7f97b5c5e6;p=lhc%2Fweb%2Fwiklou.git

Normalize IPv6 addresses in XFF chains

Otherwise, we're at proxy's mercy for using the same form of IPs.

Change-Id: I090947958bf699ee6d8a9009c9e4a6d11da23f2c
---

diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index f0490d4920..ee492c4574 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -206,6 +206,8 @@ production.
   they have ever uploaded, even if it was subsequently overriden.
 * Introduced Special:MyFiles and Special:AllMyFiles as an alias for Special:MyUploads
   and Special:AllMyUploads respectively.
+* IPv6 addresses in X-Forwarded-For headers are now normalised before checking
+  against allowed proxy lists.
 
 === Bug fixes in 1.22 ===
 * Disable Special:PasswordReset when $wgEnableEmail is false. Previously one
diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 80881c977c..55bddfc8f3 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1141,7 +1141,7 @@ HTML;
 			# unless the address is not sensible (e.g. private). However, prefer private
 			# IP addresses over proxy servers controlled by this site (more sensible).
 			foreach ( $ipchain as $i => $curIP ) {
-				$curIP = IP::canonicalize( $curIP );
+				$curIP = IP::sanitizeIP( IP::canonicalize( $curIP ) );
 				if ( wfIsTrustedProxy( $curIP ) && isset( $ipchain[$i + 1] ) ) {
 					if ( wfIsConfiguredProxy( $curIP ) || // bug 48919
 						( IP::isPublic( $ipchain[$i + 1] ) || $wgUsePrivateIPs )
diff --git a/tests/phpunit/includes/WebRequestTest.php b/tests/phpunit/includes/WebRequestTest.php
index 1c6b7336d2..4f5322e8a7 100644
--- a/tests/phpunit/includes/WebRequestTest.php
+++ b/tests/phpunit/includes/WebRequestTest.php
@@ -1,5 +1,8 @@
 <?php
 
+/**
+ * @group WebRequest
+ */
 class WebRequestTest extends MediaWikiTestCase {
 	protected $oldServer;
 
@@ -143,6 +146,17 @@ class WebRequestTest extends MediaWikiTestCase {
 				false,
 				'Simple IPv6'
 			),
+			array(
+				'12.0.0.1',
+				array(
+					'REMOTE_ADDR' => 'abcd:0001:002:03:4:555:6666:7777',
+					'HTTP_X_FORWARDED_FOR' => '12.0.0.1, abcd:0001:002:03:4:555:6666:7777',
+				),
+				array( 'ABCD:1:2:3:4:555:6666:7777' ),
+				array(),
+				false,
+				'IPv6 normalisation'
+			),
 			array(
 				'12.0.0.3',
 				array(