Update wikimedia/ip-utils from 1.0.0 to 3.0.1

Bug: T247212
Bug: T248237
Depends-On: Iaa520a50498c4d1d4514874fbe6f72aa0f76ccb8
Change-Id: I155024341e8e6b13240e37b30c31b95dc83a47e0

RELEASE-NOTES-1.36

@@ -102,6 +102,7 @@ this is no longer recommended and the option has been removed.
 * Updated pear/net_smtp from 1.9.1 to 1.9.2.
 * Updated pimple/pimple from 3.3.0 to 3.3.1.
 * Updated wikimedia/html-formatter from 1.0.2 to 2.0.1.
+* Updated wikimedia/ip-utils from 1.0.0 to 3.0.1.
 * Updated wikimedia/less.php from 3.0.0 to 3.1.0.
 * Updated wikimedia/object-factory from 2.1.0 to 3.0.0.
 * Updated wikimedia/remex-html from 2.2.0 to 2.2.1.

composer.json

@@ -54,7 +54,7 @@
 		"wikimedia/composer-merge-plugin": "1.4.1",
 		"wikimedia/html-formatter": "2.0.1",
 		"wikimedia/ip-set": "2.1.0",
-		"wikimedia/ip-utils": "1.0.0",
+		"wikimedia/ip-utils": "3.0.1",
 		"wikimedia/less.php": "3.1.0",
 		"wikimedia/object-factory": "3.0.0",
 		"wikimedia/parsoid": "^0.13.0-a20@alpha",

includes/WebRequest.php

@@ -1296,7 +1296,11 @@ class WebRequest {
 			# IP addresses over proxy servers controlled by this site (more sensible).
 			# Note that some XFF values might be "unknown" with Squid/Varnish.
 			foreach ( $ipchain as $i => $curIP ) {
-				$curIP = IPUtils::sanitizeIP( IPUtils::canonicalize( $curIP ) );
+				$curIP = IPUtils::sanitizeIP(
+					IPUtils::canonicalize(
+						self::canonicalizeIPv6LoopbackAddress( $curIP )
+					)
+				);
 				if ( !$curIP || !isset( $ipchain[$i + 1] ) || $ipchain[$i + 1] === 'unknown'
 					|| !$proxyLookup->isTrustedProxy( $curIP )
 				) {
@@ -1307,14 +1311,19 @@ class WebRequest {
 					$wgUsePrivateIPs ||
 					$proxyLookup->isConfiguredProxy( $curIP ) // T50919; treat IP as sane
 				) {
+					$nextIP = $ipchain[$i + 1];
+
 					// Follow the next IP according to the proxy
-					$nextIP = IPUtils::canonicalize( $ipchain[$i + 1] );
+					$nextIP = IPUtils::canonicalize(
+						self::canonicalizeIPv6LoopbackAddress( $nextIP )
+					);
 					if ( !$nextIP && $isConfigured ) {
 						// We have not yet made it past CDN/proxy servers of this site,
 						// so either they are misconfigured or there is some IP spoofing.
 						throw new MWException( "Invalid IP given in XFF '$forwardedFor'." );
 					}
 					$ip = $nextIP;
+
 					// keep traversing the chain
 					continue;
 				}
@@ -1333,6 +1342,23 @@ class WebRequest {
 		return $ip;
 	}
 
+	/**
+	 * Converts ::1 (IPv6 loopback address) to 127.0.0.1 (IPv4 loopback address);
+	 * assists in matching trusted proxies.
+	 *
+	 * @param string $ip
+	 * @return string either '127.0.0.1' or $ip
+	 * @since 1.36
+	 */
+	public static function canonicalizeIPv6LoopbackAddress( $ip ) {
+		// Code moved from IPUtils library. See T248237#6614927
+		$m = [];
+		if ( preg_match( '/^0*' . IPUtils::RE_IPV6_GAP . '1$/', $ip, $m ) ) {
+			return '127.0.0.1';
+		}
+		return $ip;
+	}
+
 	/**
 	 * @param string $ip
 	 * @return void

tests/phpunit/includes/htmlform/HTMLRestrictionsFieldTest.php

@@ -64,7 +64,7 @@ class HTMLRestrictionsFieldTest extends PHPUnit\Framework\TestCase {
 			// submitted text, value of 'IPAddresses' key or false for validation error
 			[ null, [ '0.0.0.0/0', '::/0' ] ],
 			[ '', [] ],
-			[ "1.2.3.4\n::/0", [ '1.2.3.4', '::/0' ] ],
+			[ "1.2.3.4\n::0", [ '1.2.3.4', '::0' ] ],
 			[ "1.2.3.4\n::/x", false ],
 		];
 	}