diff options
author | Thomas Steur <tsteur@users.noreply.github.com> | 2021-09-23 22:59:11 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-23 22:59:11 +0300 |
commit | 3495f7af4c6031c71e47dcd0d882b3950486cfc9 (patch) | |
tree | b28f435a210e32b987630914f8bbfdd95dbc5176 | |
parent | 40f0ce2e614632ec8ac6af71a38f1c47b267e26c (diff) |
For login allow list add support for IPv6 (#18046)
-rw-r--r-- | config/global.php | 12 | ||||
-rw-r--r-- | plugins/CoreHome/tests/Integration/LoginAllowlistTest.php | 8 |
2 files changed, 19 insertions, 1 deletions
diff --git a/config/global.php b/config/global.php index 4be44c4dbd..cc02edc8d4 100644 --- a/config/global.php +++ b/config/global.php @@ -162,12 +162,24 @@ return array( $ipsResolved = array(); foreach ($ips as $ip) { + $ip = trim($ip); if (filter_var($ip, FILTER_VALIDATE_IP)) { $ipsResolved[] = $ip; } else { $ipFromHost = @gethostbyname($ip); if (!empty($ipFromHost)) { + // we don't check using filter_var if it's an IP as "gethostbyname" will return the $ip if it's not a hostname + // and we then assume it is an IP range. Otherwise IP ranges would not be added. Ideally would above check if it is an + // IP range before trying to get host by name. $ipsResolved[] = $ipFromHost; + } + + if (function_exists('dns_get_record')) { + $entry = @dns_get_record($ip, DNS_AAAA); + if (!empty($entry['0']['ipv6']) + && filter_var($entry['0']['ipv6'], FILTER_VALIDATE_IP)) { + $ipsResolved[] = $entry['0']['ipv6']; + } } } } diff --git a/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php index 993a722648..bfec00497f 100644 --- a/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php +++ b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php @@ -132,7 +132,13 @@ class LoginAllowlistTest extends IntegrationTestCase public function test_getAllowlistedLoginIps_shouldResolveIp() { $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', 'matomo.org', '127.0.0.1']); - $this->assertSame(['192.168.33.1', '185.31.40.177', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); + $this->assertSame(['192.168.33.1', '185.31.40.177', '2a00:b6e0:1:200:177::1', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldResolveIpv6Only() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', 'integration-test.matomo.org', '127.0.0.1']); + $this->assertSame(['192.168.33.1', 'integration-test.matomo.org', '::1', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); } public function test_getAllowlistedLoginIps_shouldNotBeCheckedIfOnlyEmptyEntries() |