Edit report at http://bugs.php.net/bug.php?id=50830&edit=1
ID: 50830
Comment by: michael at squiloople dot com
Reported by: mikerushton at hotmail dot co dot uk
Summary: FILTER_VALIDATE_IP incorrectly validates a
compressed IPv4-mapped IPv6 address
Status: Open
Type: Bug
Package: Filter related
Operating System: *
PHP Version: 5.*, 6
Block user comment: N
New Comment:
RFC 5952 is only a Proposed Standard. RFC 4291 is still the authority.
And even
if/when RFC 5952 is accepted, it is only a recommendation for (good
practice)
representation and clearly states that "all implementations must accept
and be
able to handle any legitimate RFC 4291 format".
Previous Comments:
------------------------------------------------------------------------
[2010-09-07 21:42:21] sob at academ dot com
Please note that RFC 4291 has been updated by RFC 5952.
------------------------------------------------------------------------
[2010-08-17 18:47:30] michael at squiloople dot com
It has come to my attention that the regular expression I provided above
uses
RFC 5321 as the authority on IPv6 address format. This differs from RFC
4291
however, which is the ACTUAL authority on IPv6 address format. The key
difference between the two is that 4291 allows a double colon to
represent just
ONE 16-bit group of zeros whereas 5321 requires that it represent at
least TWO
groups. As such, I have provided a modified regular expression which
conforms
with 4291 in this respect (and have also removed the unnecessary
capturing
groups present in my earlier regex)
(?:(?:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-
9](?::|$)){8,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,6})?::(?:[a-f0-
9]{1,4}(?::[a-f0-9]{1,4}){0,6})?)))|(?:(?:(?:(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){6,})(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){0,4})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,4}:)?)))?(?:25[0-5]|2[0-
4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?:\.(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-
9])){3}))
------------------------------------------------------------------------
[2010-02-01 15:34:13] mikerushton at hotmail dot co dot uk
An addition: here's my solution (as a regular expression):
(?:(?:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9](?
::|$)){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?
::[a-f0-9]{1,4}){0,5})?)))|(?:(?:(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?))?(?:(?
:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-
5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))
------------------------------------------------------------------------
[2010-01-24 15:45:29] mikerushton at hotmail dot co dot uk
Description:
------------
FILTER_VALIDATE_IP validates the incorrect 0:::255.255.255.255 and does
not validate the correct 0::255.255.255.255
According to RFC 5321, the correct syntax is:
[IPv6-hex *3(":" IPv6-hex)] "::" [IPv6-hex *3(":" IPv6-hex) ":"] IPv4-
address-literal
This does not allow for three consecutive colons.
Reproduce code:
---------------
// First
filter_var('FFFF:::255.255.255.255', FILTER_VALIDATE_IP);
// Second
filter_var('FFFF::255.255.255.255', FILTER_VALIDATE_IP);
Expected result:
----------------
// First
bool(false)
// Second
string(21) 'FFFF::255.255.255.255'
Actual result:
--------------
// First
string(22) 'FFFF:::255.255.255.255'
// Second
bool(false)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=50830&edit=1
