Add IPv6 reserved addresses to the default outbound blacklist

Summary:
Ref T11939. Depends on D16984. Now that CIDRLists can contain IPv6 addresses, blacklist all of the reserved IPv6 space.

This reserved blacklist is used to prevent users from accessing internal services via "Import Calendar" or "Add Macro".

They can't actually reach IPv6 addresses via these mechanisms yet because we need to do more work to support outbound IPv6 requests, but make sure reserved IPv6 space is blacklisted already when that support eventaully arrives.

Also, clean up some error messages (e.g., for trying to hit a bad URI in "Add Macro").

Test Plan:
  - Loaded pages with default blacklist.
  - Tried to make requests into IPv6 space.
  - Currently, this is impossible because of `parse_url()` and `gethostynamel()` calls.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11939

Differential Revision: https://secure.phabricator.com/D16986

src/applications/config/option/PhabricatorSecurityConfigOptions.php

@@ -23,8 +23,8 @@ final class PhabricatorSecurityConfigOptions
     $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain');
     $doc_name = pht('Configuration Guide: Configuring a File Domain');
 
-    // This is all of the IANA special/reserved blocks in IPv4 space.
     $default_address_blacklist = array(
+      // This is all of the IANA special/reserved blocks in IPv4 space.
       '0.0.0.0/8',
       '10.0.0.0/8',
       '100.64.0.0/10',
@@ -41,6 +41,21 @@ final class PhabricatorSecurityConfigOptions
       '224.0.0.0/4',
       '240.0.0.0/4',
       '255.255.255.255/32',
+
+      // And these are the IANA special/reserved blocks in IPv6 space.
+      '::/128',
+      '::1/128',
+      '::ffff:0:0/96',
+      '100::/64',
+      '64:ff9b::/96',
+      '2001::/32',
+      '2001:10::/28',
+      '2001:20::/28',
+      '2001:db8::/32',
+      '2002::/16',
+      'fc00::/7',
+      'fe80::/10',
+      'ff00::/8',
     );
 
     $keyring_type = 'custom:PhabricatorKeyringConfigOptionType';

src/infrastructure/env/PhabricatorEnv.php

@@ -737,10 +737,10 @@ final class PhabricatorEnv extends Phobject {
    * @task uri
    */
   public static function requireValidRemoteURIForFetch(
-    $uri,
+    $raw_uri,
     array $protocols) {
 
-    $uri = new PhutilURI($uri);
+    $uri = new PhutilURI($raw_uri);
 
     $proto = $uri->getProtocol();
     if (!strlen($proto)) {
@@ -748,7 +748,7 @@ final class PhabricatorEnv extends Phobject {
         pht(
           'URI "%s" is not a valid fetchable resource. A valid fetchable '.
           'resource URI must specify a protocol.',
-          $uri));
+          $raw_uri));
     }
 
     $protocols = array_fuse($protocols);
@@ -757,7 +757,7 @@ final class PhabricatorEnv extends Phobject {
         pht(
           'URI "%s" is not a valid fetchable resource. A valid fetchable '.
           'resource URI must use one of these protocols: %s.',
-          $uri,
+          $raw_uri,
           implode(', ', array_keys($protocols))));
     }
 
@@ -767,7 +767,7 @@ final class PhabricatorEnv extends Phobject {
         pht(
           'URI "%s" is not a valid fetchable resource. A valid fetchable '.
           'resource URI must specify a domain.',
-          $uri));
+          $raw_uri));
     }
 
     $addresses = gethostbynamel($domain);
@@ -776,7 +776,7 @@ final class PhabricatorEnv extends Phobject {
         pht(
           'URI "%s" is not a valid fetchable resource. The domain "%s" could '.
           'not be resolved.',
-          $uri,
+          $raw_uri,
           $domain));
     }
 
@@ -787,7 +787,7 @@ final class PhabricatorEnv extends Phobject {
             'URI "%s" is not a valid fetchable resource. The domain "%s" '.
             'resolves to the address "%s", which is blacklisted for '.
             'outbound requests.',
-            $uri,
+            $raw_uri,
             $domain,
             $address));
       }