Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9091

Wrong IP checking for IPv4 addresses mapped into IPv6

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.8-RC1
    • Component/s: Sessions
    • Labels:
      None
    • Environment:
      PHP Environment: 5.2.6
      Database: MySQL 5.0.51

      Description

      I have updated from Debian 4 (etch) to Debian 5 (lenny), with a lot of upgrade (php, mysql, lighttpd, etc).

      The board, now, is able to see only IPv4-mapped address into IPv6. I'm not sure for what reason this happens (php? the web server?)

      The strong problem is that during the IP checking, the regex expressions don't detect an IPv4-mapped address.
      As a result, all users/bot connections come from localhost (127.0.0.1).

      You can imagine what a big issue is this. One for all, the ip-based ban filter stops to work.

      I have done a very simple patch I have deployed in a small-to-medium board (averaging ~30 users online).
      It seems to work fine.

      In the patch I suppose you perform the IP check against $_SERVER["REMOTE_ADDR"] only in session_begin() from includes/session.php.
      After that you use always the value stored in $session->ip.
      Is this assertion correct?

        Issue Links

          Activity

          Hide
          sr55 sr55 added a comment -

          I have also run into this issue with a very similar setup for my board (running 3.0.7-PL1)

          Running Lenny, Lighthttpd, php5.2.6 & mysql5.0

          The patch above displays the IPV4 Address correctly for me. Not sure about IPV6. (Thanks)

          Show
          sr55 sr55 added a comment - I have also run into this issue with a very similar setup for my board (running 3.0.7-PL1) Running Lenny, Lighthttpd, php5.2.6 & mysql5.0 The patch above displays the IPV4 Address correctly for me. Not sure about IPV6. (Thanks)
          Hide
          devym devym added a comment -

          The patch make an additional check only if all other checks fail, just before "exiting" the cycle that perform the work.

          So if you have a regular IPv6 address, the original phpBB rules match the address and things work as ever.

          I'm glad the patch works also for you!

          Show
          devym devym added a comment - The patch make an additional check only if all other checks fail, just before "exiting" the cycle that perform the work. So if you have a regular IPv6 address, the original phpBB rules match the address and things work as ever. I'm glad the patch works also for you!
          Show
          bantu Andreas Fischer added a comment - For reference: http://en.wikipedia.org/wiki/IPv6#IPv4-mapped_addresses
          Hide
          bantu Andreas Fischer added a comment -

          With the sub-ticket (PHPBB3-9524) fixed, the major problem of this ticket should be fixed.
          After applying the fix for PHPBB3-9524 it should show the address as ::ffff:192.168.0.1 etc.

          However, I think we should show those addresses as plain IPv4 addresses, like 192.168.0.1.

          Show
          bantu Andreas Fischer added a comment - With the sub-ticket (PHPBB3-9524) fixed, the major problem of this ticket should be fixed. After applying the fix for PHPBB3-9524 it should show the address as ::ffff:192.168.0.1 etc. However, I think we should show those addresses as plain IPv4 addresses, like 192.168.0.1.
          Hide
          devym devym added a comment -

          > However, I think we should show those addresses as plain IPv4 addresses, like 192.168.0.1.

          I agree with you. 192.168.0.1 is better than ::ffff:192.168.0.1. Moreover all rules in the block/ban lists may stop to work if you change the Ip address schema.

          Show
          devym devym added a comment - > However, I think we should show those addresses as plain IPv4 addresses, like 192.168.0.1. I agree with you. 192.168.0.1 is better than ::ffff:192.168.0.1. Moreover all rules in the block/ban lists may stop to work if you change the Ip address schema.
          Hide
          bantu Andreas Fischer added a comment -
          Show
          bantu Andreas Fischer added a comment - Work in progress is at http://github.com/bantu/phpbb3/compare/ticket/9091
          Hide
          bantu Andreas Fischer added a comment -

          Ok, although I think IPv6 normalisation is a good idea, it think it should be pushed back to phpBB 3.1 so we can properly test it. Therefore I've made a much simpler patch to fix this issue.

          Show
          bantu Andreas Fischer added a comment - Ok, although I think IPv6 normalisation is a good idea, it think it should be pushed back to phpBB 3.1 so we can properly test it. Therefore I've made a much simpler patch to fix this issue.
          Hide
          bantu Andreas Fischer added a comment -

          Let me reopen this for the time being. Since inet_ntop() and inet_pton() aren't available with PHP 5.2 on Windows, we would require fall back code anyway. This could mean that we can put this into the 3.0.x codebase as well.

          Show
          bantu Andreas Fischer added a comment - Let me reopen this for the time being. Since inet_ntop() and inet_pton() aren't available with PHP 5.2 on Windows, we would require fall back code anyway. This could mean that we can put this into the 3.0.x codebase as well.

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              devym devym
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development