Edit report at http://bugs.php.net/bug.php?id=53236&edit=1
ID: 53236 Updated by: cataphr...@php.net Reported by: dominic at sayers dot cc Summary: IPv6 address validation error -Status: Open +Status: Closed Type: Bug Package: Filter related Operating System: All PHP Version: 5.3.3 -Assigned To: +Assigned To: cataphract Block user comment: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Fixed for PHP 5.3 and trunk. Previous Comments: ------------------------------------------------------------------------ [2010-11-08 05:36:17] cataphr...@php.net Automatic comment from SVN on behalf of cataphract Revision: http://svn.php.net/viewvc/?view=revision&revision=305186 Log: - Fixed the filter extension accepting IPv4 octets with a leading 0 as that belongs to the unsupported "dotted octal" representation. - Fixed bug #53236 (problems in the validation of IPv6 addresses with leading and trailing :: in the filter extension). - Fixed bug #50117 (problems in the validation of IPv6 addresses with IPv4 addresses and ::). ------------------------------------------------------------------------ [2010-11-03 15:59:04] dominic at sayers dot cc Description: ------------ IPv6 addresses with a single abbreviated field are being validated inconsistently. For example the following IPv6 address is marked as valid: 1::2:3:4:5:6:7 but the following two IPv6 addresses are marked as invalid: ::1:2:3:4:5:6:7 1:2:3:4:5:6:7:: How should they be validated? The authority on the text representation of IPv6 addresses is RFC 4291, which allows all three examples. However the recently- published RFC 5952 deprecates a format where a single field is abbreviated in this way, although it clearly states that such addresses must be accepted if presented. RFC 5952 defines a recommended formatting for *outputting* IPv6 addresses, not for validating incoming ones. RFC 3986 also allows this syntax, but RFC 5321 does not (although like RFC 5952 it acknowledges the ultimate authority of RFC 4291). The point of this bug report, however, is to point out the inconsistent validation of these addresses. I believe they should all be allowed (as per RFCs 4291 and 3986). Warning: this might result in filter_var allowing some email addresses that have IPv6 address literals that are OK according to RFC 4291 but not RFC 5321. Test script: --------------- <?php function isIP($address) { $valid = filter_var($address, FILTER_VALIDATE_IP); echo "$address is", ($valid ? '' : ' not'), ' valid<br/>'; } isIP('1:2:3::4:5:6:7'); isIP('::1:2:3:4:5:6:7'); isIP('1:2:3:4:5:6:7::'); ?> Expected result: ---------------- 1:2:3::4:5:6:7 is valid ::1:2:3:4:5:6:7 is valid 1:2:3:4:5:6:7:: is valid Actual result: -------------- 1:2:3::4:5:6:7 is valid ::1:2:3:4:5:6:7 is not valid 1:2:3:4:5:6:7:: is not valid ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=53236&edit=1