diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
index 6b3ba9e8fdbfb..60de7afc598d0 100644
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -143,6 +143,15 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode)
->integerNode('port')->defaultNull()->end()
->arrayNode('ips')
->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
+ ->beforeNormalization()->always()->then(function ($v) {
+ foreach ($v as $ip) {
+ if (false === $this->isValidIp($ip)) {
+ throw new \LogicException(sprintf('The given "%s" value in the "access_control" config option is not a valid IP address.', $ip));
+ }
+ }
+
+ return $v;
+ })->end()
->prototype('scalar')->end()
->end()
->arrayNode('methods')
@@ -419,4 +428,30 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
->end()
;
}
+
+ private function isValidIp(string $cidr): bool
+ {
+ $cidrParts = explode('/', $cidr);
+
+ if (1 === \count($cidrParts)) {
+ return false !== filter_var($cidrParts[0], FILTER_VALIDATE_IP);
+ }
+
+ $ip = $cidrParts[0];
+ $netmask = $cidrParts[1];
+
+ if (!ctype_digit($netmask)) {
+ return false;
+ }
+
+ if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+ return $netmask <= 32;
+ }
+
+ if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ return $netmask <= 128;
+ }
+
+ return false;
+ }
}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/config/routing.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/config/routing.yml
index 30466deb32da2..2fff93dcad2ef 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/config/routing.yml
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/config/routing.yml
@@ -31,6 +31,15 @@ secured-by-one-ip:
secured-by-two-ips:
path: /secured-by-two-ips
+secured-by-one-real-ip:
+ path: /secured-by-one-real-ip
+
+secured-by-one-real-ip-with-mask:
+ path: /secured-by-one-real-ip-with-mask
+
+secured-by-one-real-ipv6:
+ path: /secured-by-one-real-ipv6
+
form_logout:
path: /logout_path
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php
index 0d2d6da0cfc51..682c561ac5aa5 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php
@@ -71,10 +71,16 @@ public function testSecurityConfigurationForMultipleIPAddresses($config)
{
$allowedClientA = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '1.1.1.1']);
$allowedClientB = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '2.2.2.2']);
+ $allowedClientC = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '203.0.113.0']);
$barredClient = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '192.168.1.1']);
$this->assertAllowed($allowedClientA, '/secured-by-two-ips');
$this->assertAllowed($allowedClientB, '/secured-by-two-ips');
+
+ $this->assertRestricted($allowedClientA, '/secured-by-one-real-ip');
+ $this->assertRestricted($allowedClientA, '/secured-by-one-real-ipv6');
+ $this->assertAllowed($allowedClientC, '/secured-by-one-real-ip-with-mask');
+
$this->assertRestricted($barredClient, '/secured-by-two-ips');
}
@@ -100,6 +106,15 @@ public function testSecurityConfigurationForExpression($config)
$this->assertAllowed($allowedClient, '/protected-via-expression');
}
+ public function testInvalidIpsInAccessControl()
+ {
+ $this->expectException(\LogicException::class);
+ $this->expectExceptionMessage('The given "256.357.458.559" value in the "access_control" config option is not a valid IP address.');
+
+ $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'invalid_ip_access_control.yml']);
+ $client->request('GET', '/unprotected_resource');
+ }
+
private function assertAllowed($client, $path)
{
$client->request('GET', $path);
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml
index d7c73aa0b6dc0..df03c20c5c514 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml
@@ -39,6 +39,10 @@ security:
- { path: ^/secure-but-not-covered-by-access-control$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured-by-one-ip$, ip: 10.10.10.10, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured-by-two-ips$, ips: [1.1.1.1, 2.2.2.2], roles: IS_AUTHENTICATED_ANONYMOUSLY }
+ # these real IP addresses are reserved for docs/examples (https://tools.ietf.org/search/rfc5737)
+ - { path: ^/secured-by-one-real-ip$, ips: 198.51.100.0, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+ - { path: ^/secured-by-one-real-ip-with-mask$, ips: '203.0.113.0/24', roles: IS_AUTHENTICATED_ANONYMOUSLY }
+ - { path: ^/secured-by-one-real-ipv6$, ips: 0:0:0:0:0:ffff:c633:6400, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/highly_protected_resource$, roles: IS_ADMIN }
- { path: ^/protected-via-expression$, allow_if: "(is_anonymous() and request.headers.get('user-agent') matches '/Firefox/i') or is_granted('ROLE_USER')" }
- { path: .*, roles: IS_AUTHENTICATED_FULLY }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/invalid_ip_access_control.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/invalid_ip_access_control.yml
new file mode 100644
index 0000000000000..e4f46c4704af6
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/invalid_ip_access_control.yml
@@ -0,0 +1,22 @@
+imports:
+ - { resource: ./../config/default.yml }
+
+security:
+ encoders:
+ Symfony\Component\Security\Core\User\User: plaintext
+
+ providers:
+ in_memory:
+ memory:
+ users:
+ johannes: { password: test, roles: [ROLE_USER] }
+
+ firewalls:
+ default:
+ form_login: ~
+ logout: ~
+ anonymous: ~
+
+ access_control:
+ # the '256.357.458.559' IP is wrong on purpose, to check invalid IP errors
+ - { path: ^/unprotected_resource$, ips: [1.1.1.1, 256.357.458.559], roles: IS_AUTHENTICATED_ANONYMOUSLY }
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy