IP::isInRange() returns true on nonsense input
Closed, ResolvedPublic
Actions

Description

In AbuseFilter

is_in_range(ip, range)

will give true, if ip is not an ip and range is not a range.

The reason seems to be that

IP::isInRange($ip, $range)

in mediawiki-core(?), see https://doc.wikimedia.org/mediawiki-core/master/php/IP_8php_source.html#l00637, uses

strcmp(. , .) >= 0 && strcmp(. , .) <= 0,

which is always true, if the params are not defined, because strcmp results in 0.

This can lead to big problems, if somebody makes a minor error in using the AbuseFilter extension, e.g.

is_in_range(user_name, "127.0.1/16")
is_in_range("127.0.1/16", user_name)
is_in_range(user_name, "wtf")

Details

Subject	Repo	Branch	Lines +/-
Don't allow invalid IP ranges to be entered in ip_in_range()	mediawiki/extensions/AbuseFilter	master	+11 -0
Check whether IP is valid in ip_in_range()	mediawiki/extensions/AbuseFilter	master	+1 -1
Add note that IP::isInRange() can return unexpected results for invalid args	mediawiki/core	master	+8 -5

Customize query in gerrit

Event Timeline

seth created this task.Jan 19 2016, 11:33 PM

seth raised the priority of this task from to Medium.

seth updated the task description. (Show Details)

seth added projects: MediaWiki-General, AbuseFilter.

seth subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 19 2016, 11:33 PM

Schulhofpassage subscribed.Jan 19 2016, 11:46 PM

Yellowcard subscribed.Jan 20 2016, 12:28 AM

We could try to check the IP range at validation level and do IP::isIPAddress( $IP ) && IP::isInRange( $ip, $range ) during evaluation instead of just checking isInRange?

Change 266595 had a related patch set uploaded (by MtDu):
Fix IP::isInRange() returning true on nonsensical outputs

https://gerrit.wikimedia.org/r/266595

gerritbot added a project: Patch-For-Review.Jan 26 2016, 9:30 PM

Not sure if this works. (letting result = null) Let me know your opinions.
Thanks,
MtDu

Change 275544 had a related patch set uploaded (by Glaisher):
Don't allow invalid IP ranges to be entered in ip_in_range()

https://gerrit.wikimedia.org/r/275544

Change 275564 had a related patch set uploaded (by Glaisher):
Add note that IP::isInRange() can return unexpected results for invalid args

https://gerrit.wikimedia.org/r/275564

Change 275564 merged by jenkins-bot:
Add note that IP::isInRange() can return unexpected results for invalid args

https://gerrit.wikimedia.org/r/275564

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)).Apr 9 2016, 9:00 PM

Change 266595 abandoned by MtDu:
Check whether IP is valid in ip_in_range()

Reason:
Per @TTOs comment.

https://gerrit.wikimedia.org/r/266595

matej_suchanek claimed this task.Apr 2 2018, 6:52 PM

Change 275544 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Don't allow invalid IP ranges to be entered in ip_in_range()

https://gerrit.wikimedia.org/r/275544

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-06-12 (1.32.0-wmf.8)).Jun 10 2018, 1:00 AM

@matej_suchanek are we all set here?

Yes! \o/

IP::isInRange() returns true on nonsense inputClosed, ResolvedPublicActions

Description

Details

Event Timeline

IP::isInRange() returns true on nonsense input
Closed, ResolvedPublic
Actions