search

f3-factory / fatfree-core

Fat-Free Framework core library
GNU General Public License v3.0
206 stars 89 forks source link

Fix `isprivate()` method. #372

Closed Yousha closed 5 months ago

Yousha commented 11 months ago

Fix incorrect usage of the FILTER_FLAG_NO_PRIV_RANGE flag in the filter_var() function.

The FILTER_FLAG_NO_PRIV_RANGE flag is used to EXCLUDE private IP ranges. But in the code, the flag is used with the FILTER_VALIDATE_IP filter, which actually VALIDATES the IP address. As a result, the method returns the opposite result of what is intended. So we need to change the usage of the FILTER_FLAG_NO_PRIV_RANGE flag. Instead of using it with the FILTER_VALIDATE_IP filter, we should use it with the FILTER_FLAG_NO_PRIV_RANGEflag DIRECTLY.

By using old(bugged) function we have:

echo isprivate(''); // TRUE
echo isprivate(' '); // TRUE
echo isprivate(null); // TRUE

echo isprivate('23.6.32.11'); // FALSE
echo isprivate('40.2.110.1'); // FALSE
echo isprivate('127.0.0.1'); // FALSE

echo isprivate('192.168.3.4'); // TRUE
echo isprivate('10.0.0.0'); // TRUE
echo isprivate('172.31.255.255'); // TRUE

Now by using new(fixed) function we have:

echo isprivate(''); // FALSE
echo isprivate(' '); // FALSE
echo isprivate(null); // FALSE

echo isprivate('23.6.32.11'); // FALSE
echo isprivate('40.2.110.1'); // FALSE
echo isprivate('127.0.0.1'); // FALSE

echo isprivate('192.168.3.4'); // TRUE
echo isprivate('10.0.0.0'); // TRUE
echo isprivate('172.31.255.255'); // TRUE
KOTRET commented 11 months ago

The original output is equivalent to the negated result of using FILTER_FLAG_NO_PRIV_RANGE only: php will treat null and invalid strings as private, so the "is it an ip?"-check indeed must be done separately.

As the other methods are affected as well, I'd suggest to add an isIP-method in order to combine it with the additional flags.