Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9091

Wrong IP checking for IPv4 addresses mapped into IPv6

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.8-RC1
    • Component/s: Sessions
    • Labels:
      None
    • Environment:
      PHP Environment: 5.2.6
      Database: MySQL 5.0.51

      Description

      I have updated from Debian 4 (etch) to Debian 5 (lenny), with a lot of upgrade (php, mysql, lighttpd, etc).

      The board, now, is able to see only IPv4-mapped address into IPv6. I'm not sure for what reason this happens (php? the web server?)

      The strong problem is that during the IP checking, the regex expressions don't detect an IPv4-mapped address.
      As a result, all users/bot connections come from localhost (127.0.0.1).

      You can imagine what a big issue is this. One for all, the ip-based ban filter stops to work.

      I have done a very simple patch I have deployed in a small-to-medium board (averaging ~30 users online).
      It seems to work fine.

      In the patch I suppose you perform the IP check against $_SERVER["REMOTE_ADDR"] only in session_begin() from includes/session.php.
      After that you use always the value stored in $session->ip.
      Is this assertion correct?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bantu Andreas Fischer
                Reporter:
                devym devym
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: