1 files changed, 14 insertions, 2 deletions

diff --git a/lib/private/Http/Client/LocalAddressChecker.php b/lib/private/Http/Client/LocalAddressChecker.php
index c69d1007a16..da641b57c04 100644
--- a/lib/private/Http/Client/LocalAddressChecker.php
+++ b/lib/private/Http/Client/LocalAddressChecker.php
@@ -27,6 +27,7 @@ namespace OC\Http\Client;
 
 use OCP\Http\Client\LocalServerException;
 use Psr\Log\LoggerInterface;
+use OC\Http\IpUtils;
 
 class LocalAddressChecker {
 	private LoggerInterface $logger;
@@ -36,7 +37,16 @@ class LocalAddressChecker {
 	}
 
 	public function ThrowIfLocalIp(string $ip) : void {
-		if ((bool)filter_var($ip, FILTER_VALIDATE_IP) && !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+		$localRanges = [
+			'100.64.0.0/10', // See RFC 6598
+			'192.0.0.0/24', // See RFC 6890
+		];
+		if (
+			(bool)filter_var($ip, FILTER_VALIDATE_IP) &&
+			(
+				!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) ||
+				IpUtils::checkIp($ip, $localRanges)
+			)) {
 			$this->logger->warning("Host $ip was not connected to because it violates local access rules");
 			throw new LocalServerException('Host violates local access rules');
 		}
@@ -46,7 +56,9 @@ class LocalAddressChecker {
 			$delimiter = strrpos($ip, ':'); // Get last colon
 			$ipv4Address = substr($ip, $delimiter + 1);
 
-			if (!filter_var($ipv4Address, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+			if (
+				!filter_var($ipv4Address, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) ||
+				IpUtils::checkIp($ip, $localRanges)) {
 				$this->logger->warning("Host $ip was not connected to because it violates local access rules");
 				throw new LocalServerException('Host violates local access rules');
 			}