PHP :: Bug #47435 :: FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES

Bug #47435

FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE don't work with ipv6

Submitted:

2009-02-18 13:57 UTC

Modified:

2010-12-12 20:54 UTC

Votes:	4
Avg. Score:	4.0 ± 1.0
Reproduced:	3 of 4 (75.0%)
Same Version:	3 (100.0%)
Same OS:	3 (100.0%)

From:

valli at icsurselva dot ch

Assigned:

iliaa (profile)

Status:

Closed

Package:

Filter related

PHP Version:

5.*, 6CVS (2009-02-18)

OS:

linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	valli at icsurselva dot ch
New email:
PHP Version:		OS:

New Comment:

[2009-02-18 13:57 UTC] valli at icsurselva dot ch

Description:
------------
The filter flags FILTER_FLAG_NO_PRIV_RANGE
and FILTER_FLAG_NO_RES_RANGE have no effekt
on private/reserved ipv6 addresses.
(see also rfc5156; Special-Use IPv6 Addresses)


Reproduce code:
---------------
var_dump(filter_var('fc00::', FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE));


Expected result:
----------------
false

Actual result:
--------------
fc00::

Patches

IPv6_FILTERS_WITH_TESTS (last revision 2010-04-07 18:58 UTC by zippy1981 at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-02-23 16:52 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2009-02-24 07:55 UTC] valli at icsurselva dot ch

Can't find any code in the snapshots
regarding this issue.
Will this be fixed in php-5.3?

[2009-02-26 11:17 UTC] valli at icsurselva dot ch

Sorry,
I've checked the wrong file when I wrote the last comment.
Now I've seen your fixes. But there are a lot more
ranges to check (not only fc00::/7)
At least the following IPv6 ranges should match when
FILTER_FLAG_NO_RES_RANGE is set (rfc5156):
::/128         // unspecified address (rfc4291)
fe80::/10      // link local unicast (rfc4291)
2001:db8::/32  // documentation addresses (rfc3849)
5f00::/8       // 6Bone
3ffe::/16      // 6Bone

[2009-03-03 01:20 UTC] iliaa@php.net

According to the RFC I saw, the indicated ranges are the only ones 
identified as private.

[2009-03-03 06:42 UTC] valli at icsurselva dot ch

Yes, fc00::/7 is the one and only IPv6 private range.
But there are also a lot of reserved ranges.

FILTER_FLAG_NO_PRIV_RANGE (IP not from private ranges)
fc00::/7       // unique-local addresses (rfc4193)

FILTER_FLAG_NO_RES_RANGE (IP not from reserved ranges)
::/128         // unspecified address (rfc4291)
::1/128        // loopback address (rfc4291)
fe80::/10      // link local unicast (rfc4291)
2001:db8::/32  // documentation addresses (rfc3849)
5f00::/8       // 6Bone
3ffe::/16      // 6Bone
::ffff:0:0/96  // IPv4-Mapped addresses (rfc4291)
2001:10::/28   // ORCHID addresses (rfc4843)
::/0           // default unicast route address

FYI the following ranges are implemented for IPv4 in logical_filters.c
FILTER_FLAG_NO_PRIV_RANGE (IP not from private ranges)
10.0.0.0/8     // private use network (rfc1918)
172.16.0.0/12  // private use network (rfc1918)
192.168.0.0/16 // private use network (rfc1918)

FILTER_FLAG_NO_RES_RANGE (IP not from reserved ranges)
0.0.0.0/8      // "this" network (rfc1700)
169.254.0.0/16 // link local network (rfc3927)
192.0.2.0/24   // test net (rfc3330)
224.0.0.0/4    // Multicast (rfc3171)
240.0.0.0/4    // Reserved for Future Use (rfc1700)

[2010-04-07 19:27 UTC] mikeg at bsd-box dot net

Valli's comment seems to be the right solution: It correctly identifies
& differentiates the RFC-listed private & reserved space.

I would propose an additional "FILTER_FLAG_NO_SPECIAL_RANGE" that
captures the union of the other sets as a convenient shortcut,
but that's just laziness on my part.

[2010-04-07 21:14 UTC] zippy1981 at gmail dot com

I implemented Valli's suggestion with two caveats:

1) I have to do the IPv4 mapping addresses. I will do that next.
2) FILTER_VALIDATE_IP does not handle subnets, only IPs.

[2010-12-12 20:54 UTC] iliaa@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=306290
Log: Fixed bug #47435 (FILTER_FLAG_NO_RES_RANGE don't work with ipv6).

[2010-12-12 20:54 UTC] iliaa@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa

[2010-12-12 20:54 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC