recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add IPv6 reserved addresses to the default outbound blacklist

Summary:
Ref T11939. Depends on D16984. Now that CIDRLists can contain IPv6 addresses, blacklist all of the reserved IPv6 space.

This reserved blacklist is used to prevent users from accessing internal services via "Import Calendar" or "Add Macro".

They can't actually reach IPv6 addresses via these mechanisms yet because we need to do more work to support outbound IPv6 requests, but make sure reserved IPv6 space is blacklisted already when that support eventaully arrives.

Also, clean up some error messages (e.g., for trying to hit a bad URI in "Add Macro").

Test Plan:
- Loaded pages with default blacklist.
- Tried to make requests into IPv6 space.
- Currently, this is impossible because of `parse_url()` and `gethostynamel()` calls.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11939

Differential Revision: https://secure.phabricator.com/D16986

epriestley 5a060b34 4a6229ee

+23 -8
+16 -1
src/applications/config/option/PhabricatorSecurityConfigOptions.php
··· 23 23 $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain'); 24 24 $doc_name = pht('Configuration Guide: Configuring a File Domain'); 25 25 26 - // This is all of the IANA special/reserved blocks in IPv4 space. 27 26 $default_address_blacklist = array( 27 + // This is all of the IANA special/reserved blocks in IPv4 space. 28 28 '0.0.0.0/8', 29 29 '10.0.0.0/8', 30 30 '100.64.0.0/10', ··· 41 41 '224.0.0.0/4', 42 42 '240.0.0.0/4', 43 43 '255.255.255.255/32', 44 + 45 + // And these are the IANA special/reserved blocks in IPv6 space. 46 + '::/128', 47 + '::1/128', 48 + '::ffff:0:0/96', 49 + '100::/64', 50 + '64:ff9b::/96', 51 + '2001::/32', 52 + '2001:10::/28', 53 + '2001:20::/28', 54 + '2001:db8::/32', 55 + '2002::/16', 56 + 'fc00::/7', 57 + 'fe80::/10', 58 + 'ff00::/8', 44 59 ); 45 60 46 61 $keyring_type = 'custom:PhabricatorKeyringConfigOptionType';
+7 -7
src/infrastructure/env/PhabricatorEnv.php
··· 737 737 * @task uri 738 738 */ 739 739 public static function requireValidRemoteURIForFetch( 740 - $uri, 740 + $raw_uri, 741 741 array $protocols) { 742 742 743 - $uri = new PhutilURI($uri); 743 + $uri = new PhutilURI($raw_uri); 744 744 745 745 $proto = $uri->getProtocol(); 746 746 if (!strlen($proto)) { ··· 748 748 pht( 749 749 'URI "%s" is not a valid fetchable resource. A valid fetchable '. 750 750 'resource URI must specify a protocol.', 751 - $uri)); 751 + $raw_uri)); 752 752 } 753 753 754 754 $protocols = array_fuse($protocols); ··· 757 757 pht( 758 758 'URI "%s" is not a valid fetchable resource. A valid fetchable '. 759 759 'resource URI must use one of these protocols: %s.', 760 - $uri, 760 + $raw_uri, 761 761 implode(', ', array_keys($protocols)))); 762 762 } 763 763 ··· 767 767 pht( 768 768 'URI "%s" is not a valid fetchable resource. A valid fetchable '. 769 769 'resource URI must specify a domain.', 770 - $uri)); 770 + $raw_uri)); 771 771 } 772 772 773 773 $addresses = gethostbynamel($domain); ··· 776 776 pht( 777 777 'URI "%s" is not a valid fetchable resource. The domain "%s" could '. 778 778 'not be resolved.', 779 - $uri, 779 + $raw_uri, 780 780 $domain)); 781 781 } 782 782 ··· 787 787 'URI "%s" is not a valid fetchable resource. The domain "%s" '. 788 788 'resolves to the address "%s", which is blacklisted for '. 789 789 'outbound requests.', 790 - $uri, 790 + $raw_uri, 791 791 $domain, 792 792 $address)); 793 793 }