Commit 7a347e83 authored by Sybille Peters's avatar Sybille Peters 🙋 Committed by Christian Kuhn
Browse files

[BUGFIX] Clarify IPv6 address matching

When matching IPv6 addresses (for example in IPmaskList)
appending the address with * as wildcards will not work.
The function GeneralUtility::cmpIPv6() uses validIPv6()
which will fail on an address with *.

Using addresses with CIDR-notation, will work for both
IPv4 and IPv6 addresses (e.g. 2001:0DB8:1234::/48,
192.16.0.0/16).

The description of TYPO3_CONF_VARS and comments for the
function in GeneralUtility is updated accordingly.

Resolves: #94620
Releases: master, 10.4
Change-Id: Ie068ca579a41cd3c6552e6a302bbe11b0ca2883a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70055

Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Jochen's avatarJochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jochen's avatarJochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent 5b3162c5
...@@ -213,7 +213,7 @@ class GeneralUtility ...@@ -213,7 +213,7 @@ class GeneralUtility
* Dispatcher method for switching into specialised IPv4 and IPv6 methods. * Dispatcher method for switching into specialised IPv4 and IPv6 methods.
* *
* @param string $baseIP Is the current remote IP address for instance, typ. REMOTE_ADDR * @param string $baseIP Is the current remote IP address for instance, typ. REMOTE_ADDR
* @param string $list Is a comma-list of IP-addresses to match with. *-wildcard allowed instead of number, plus leaving out parts in the IP number is accepted as wildcard (eg. 192.168.*.* equals 192.168). If list is "*" no check is done and the function returns TRUE immediately. An empty list always returns FALSE. * @param string $list Is a comma-list of IP-addresses to match with. CIDR-notation should be used. For IPv4 addresses only, the *-wildcard is also allowed instead of number, plus leaving out parts in the IP number is accepted as wildcard (eg. 192.168.*.* equals 192.168). If list is "*" no check is done and the function returns TRUE immediately. An empty list always returns FALSE.
* @return bool TRUE if an IP-mask from $list matches $baseIP * @return bool TRUE if an IP-mask from $list matches $baseIP
*/ */
public static function cmpIP($baseIP, $list) public static function cmpIP($baseIP, $list)
...@@ -235,7 +235,7 @@ class GeneralUtility ...@@ -235,7 +235,7 @@ class GeneralUtility
* Match IPv4 number with list of numbers with wildcard * Match IPv4 number with list of numbers with wildcard
* *
* @param string $baseIP Is the current remote IP address for instance, typ. REMOTE_ADDR * @param string $baseIP Is the current remote IP address for instance, typ. REMOTE_ADDR
* @param string $list Is a comma-list of IP-addresses to match with. *-wildcard allowed instead of number, plus leaving out parts in the IP number is accepted as wildcard (eg. 192.168.*.* equals 192.168), could also contain IPv6 addresses * @param string $list Is a comma-list of IP-addresses to match with. CIDR-notation, *-wildcard allowed instead of number, plus leaving out parts in the IP number is accepted as wildcard (eg. 192.168.0.0/16 equals 192.168.*.* equals 192.168), could also contain IPv6 addresses
* @return bool TRUE if an IP-mask from $list matches $baseIP * @return bool TRUE if an IP-mask from $list matches $baseIP
*/ */
public static function cmpIPv4($baseIP, $list) public static function cmpIPv4($baseIP, $list)
...@@ -283,7 +283,8 @@ class GeneralUtility ...@@ -283,7 +283,8 @@ class GeneralUtility
* Match IPv6 address with a list of IPv6 prefixes * Match IPv6 address with a list of IPv6 prefixes
* *
* @param string $baseIP Is the current remote IP address for instance * @param string $baseIP Is the current remote IP address for instance
* @param string $list Is a comma-list of IPv6 prefixes, could also contain IPv4 addresses * @param string $list Is a comma-list of IPv6 prefixes, could also contain IPv4 addresses. IPv6 addresses
* must be specified in CIDR-notation, not with * wildcard, otherwise self::validIPv6() will fail.
* @return bool TRUE If a baseIP matches any prefix * @return bool TRUE If a baseIP matches any prefix
*/ */
public static function cmpIPv6($baseIP, $list) public static function cmpIPv6($baseIP, $list)
......
...@@ -317,7 +317,7 @@ BE: ...@@ -317,7 +317,7 @@ BE:
description: 'Session time out for backend users in seconds. The value must be at least 180 to avoid side effects. Default is 28.800 seconds = 8 hours.' description: 'Session time out for backend users in seconds. The value must be at least 180 to avoid side effects. Default is 28.800 seconds = 8 hours.'
IPmaskList: IPmaskList:
type: list type: list
description: 'Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function <code>\TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())</code>' description: 'Lets you define a list of IP-numbers (in CIDR-notation, e.g. 194.168.0.0/16,2002::1234:abcd:ffff:c0a8:101/64) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function <code>\TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())</code>'
lockSSL: lockSSL:
type: bool type: bool
description: 'If set, the backend can only be operated from an SSL-encrypted connection (https). A redirect to the SSL version of a URL will happen when a user tries to access non-https admin-urls' description: 'If set, the backend can only be operated from an SSL-encrypted connection (https). A redirect to the SSL version of a URL will happen when a user tries to access non-https admin-urls'
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment