php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47435 FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE don't work with ipv6
Submitted: 2009-02-18 13:57 UTC Modified: 2010-12-12 20:54 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: valli at icsurselva dot ch Assigned: iliaa (profile)
Status: Closed Package: Filter related
PHP Version: 5.*, 6CVS (2009-02-18) OS: linux
Private report: No CVE-ID: None
 [2009-02-18 13:57 UTC] valli at icsurselva dot ch
Description:
------------
The filter flags FILTER_FLAG_NO_PRIV_RANGE
and FILTER_FLAG_NO_RES_RANGE have no effekt
on private/reserved ipv6 addresses.
(see also rfc5156; Special-Use IPv6 Addresses)


Reproduce code:
---------------
var_dump(filter_var('fc00::', FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE));


Expected result:
----------------
false

Actual result:
--------------
fc00::

Patches

IPv6_FILTERS_WITH_TESTS (last revision 2010-04-07 18:58 UTC by zippy1981 at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-23 16:52 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-02-24 07:55 UTC] valli at icsurselva dot ch
Can't find any code in the snapshots
regarding this issue.
Will this be fixed in php-5.3?
 [2009-02-26 11:17 UTC] valli at icsurselva dot ch
Sorry,
I've checked the wrong file when I wrote the last comment.
Now I've seen your fixes. But there are a lot more
ranges to check (not only fc00::/7)
At least the following IPv6 ranges should match when
FILTER_FLAG_NO_RES_RANGE is set (rfc5156):
::/128         // unspecified address (rfc4291)
fe80::/10      // link local unicast (rfc4291)
2001:db8::/32  // documentation addresses (rfc3849)
5f00::/8       // 6Bone
3ffe::/16      // 6Bone
 [2009-03-03 01:20 UTC] iliaa@php.net
According to the RFC I saw, the indicated ranges are the only ones 
identified as private.
 [2009-03-03 06:42 UTC] valli at icsurselva dot ch
Yes, fc00::/7 is the one and only IPv6 private range.
But there are also a lot of reserved ranges.

FILTER_FLAG_NO_PRIV_RANGE (IP not from private ranges)
fc00::/7       // unique-local addresses (rfc4193)

FILTER_FLAG_NO_RES_RANGE (IP not from reserved ranges)
::/128         // unspecified address (rfc4291)
::1/128        // loopback address (rfc4291)
fe80::/10      // link local unicast (rfc4291)
2001:db8::/32  // documentation addresses (rfc3849)
5f00::/8       // 6Bone
3ffe::/16      // 6Bone
::ffff:0:0/96  // IPv4-Mapped addresses (rfc4291)
2001:10::/28   // ORCHID addresses (rfc4843)
::/0           // default unicast route address

FYI the following ranges are implemented for IPv4 in logical_filters.c
FILTER_FLAG_NO_PRIV_RANGE (IP not from private ranges)
10.0.0.0/8     // private use network (rfc1918)
172.16.0.0/12  // private use network (rfc1918)
192.168.0.0/16 // private use network (rfc1918)

FILTER_FLAG_NO_RES_RANGE (IP not from reserved ranges)
0.0.0.0/8      // "this" network (rfc1700)
169.254.0.0/16 // link local network (rfc3927)
192.0.2.0/24   // test net (rfc3330)
224.0.0.0/4    // Multicast (rfc3171)
240.0.0.0/4    // Reserved for Future Use (rfc1700)
 [2010-04-07 19:27 UTC] mikeg at bsd-box dot net
Valli's comment seems to be the right solution: It correctly identifies
& differentiates the RFC-listed private & reserved space.

I would propose an additional "FILTER_FLAG_NO_SPECIAL_RANGE" that
captures the union of the other sets as a convenient shortcut,
but that's just laziness on my part.
 [2010-04-07 21:14 UTC] zippy1981 at gmail dot com
I implemented Valli's suggestion with two caveats:

1) I have to do the IPv4 mapping addresses. I will do that next.
2) FILTER_VALIDATE_IP does not handle subnets, only IPs.
 [2010-12-12 20:54 UTC] iliaa@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=306290
Log: Fixed bug #47435 (FILTER_FLAG_NO_RES_RANGE don't work with ipv6).
 [2010-12-12 20:54 UTC] iliaa@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa
 [2010-12-12 20:54 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 04:01:31 2024 UTC