From 5a060b34df8139af3f3d00297d58c57315b17ac1 Mon Sep 17 00:00:00 2001 From: epriestley Date: Mon, 5 Dec 2016 09:46:44 -0800 Subject: [PATCH] Add IPv6 reserved addresses to the default outbound blacklist Summary: Ref T11939. Depends on D16984. Now that CIDRLists can contain IPv6 addresses, blacklist all of the reserved IPv6 space. This reserved blacklist is used to prevent users from accessing internal services via "Import Calendar" or "Add Macro". They can't actually reach IPv6 addresses via these mechanisms yet because we need to do more work to support outbound IPv6 requests, but make sure reserved IPv6 space is blacklisted already when that support eventaully arrives. Also, clean up some error messages (e.g., for trying to hit a bad URI in "Add Macro"). Test Plan: - Loaded pages with default blacklist. - Tried to make requests into IPv6 space. - Currently, this is impossible because of `parse_url()` and `gethostynamel()` calls. Reviewers: chad Reviewed By: chad Maniphest Tasks: T11939 Differential Revision: https://secure.phabricator.com/D16986 --- .../option/PhabricatorSecurityConfigOptions.php | 17 ++++++++++++++++- src/infrastructure/env/PhabricatorEnv.php | 14 +++++++------- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php index dde1d0d7be..4d4da4bd02 100644 --- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php +++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php @@ -23,8 +23,8 @@ final class PhabricatorSecurityConfigOptions $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain'); $doc_name = pht('Configuration Guide: Configuring a File Domain'); - // This is all of the IANA special/reserved blocks in IPv4 space. $default_address_blacklist = array( + // This is all of the IANA special/reserved blocks in IPv4 space. '0.0.0.0/8', '10.0.0.0/8', '100.64.0.0/10', @@ -41,6 +41,21 @@ final class PhabricatorSecurityConfigOptions '224.0.0.0/4', '240.0.0.0/4', '255.255.255.255/32', + + // And these are the IANA special/reserved blocks in IPv6 space. + '::/128', + '::1/128', + '::ffff:0:0/96', + '100::/64', + '64:ff9b::/96', + '2001::/32', + '2001:10::/28', + '2001:20::/28', + '2001:db8::/32', + '2002::/16', + 'fc00::/7', + 'fe80::/10', + 'ff00::/8', ); $keyring_type = 'custom:PhabricatorKeyringConfigOptionType'; diff --git a/src/infrastructure/env/PhabricatorEnv.php b/src/infrastructure/env/PhabricatorEnv.php index ae7256a490..15873a7f9c 100644 --- a/src/infrastructure/env/PhabricatorEnv.php +++ b/src/infrastructure/env/PhabricatorEnv.php @@ -737,10 +737,10 @@ final class PhabricatorEnv extends Phobject { * @task uri */ public static function requireValidRemoteURIForFetch( - $uri, + $raw_uri, array $protocols) { - $uri = new PhutilURI($uri); + $uri = new PhutilURI($raw_uri); $proto = $uri->getProtocol(); if (!strlen($proto)) { @@ -748,7 +748,7 @@ final class PhabricatorEnv extends Phobject { pht( 'URI "%s" is not a valid fetchable resource. A valid fetchable '. 'resource URI must specify a protocol.', - $uri)); + $raw_uri)); } $protocols = array_fuse($protocols); @@ -757,7 +757,7 @@ final class PhabricatorEnv extends Phobject { pht( 'URI "%s" is not a valid fetchable resource. A valid fetchable '. 'resource URI must use one of these protocols: %s.', - $uri, + $raw_uri, implode(', ', array_keys($protocols)))); } @@ -767,7 +767,7 @@ final class PhabricatorEnv extends Phobject { pht( 'URI "%s" is not a valid fetchable resource. A valid fetchable '. 'resource URI must specify a domain.', - $uri)); + $raw_uri)); } $addresses = gethostbynamel($domain); @@ -776,7 +776,7 @@ final class PhabricatorEnv extends Phobject { pht( 'URI "%s" is not a valid fetchable resource. The domain "%s" could '. 'not be resolved.', - $uri, + $raw_uri, $domain)); } @@ -787,7 +787,7 @@ final class PhabricatorEnv extends Phobject { 'URI "%s" is not a valid fetchable resource. The domain "%s" '. 'resolves to the address "%s", which is blacklisted for '. 'outbound requests.', - $uri, + $raw_uri, $domain, $address)); }