WIP: Make trusted_proxies configuration IPv6 compatible

[johanfleury]

This is based on the 3rdparty library rlanvin/php-ip. This library
requires installation/activation of the GMP extension.

Warning: this might break existing installation.

Requires nextcloud/3rdparty#198.

[kesselb]

Thank you for your contribution 🎉

Unfortunately there is another pull request for ipv6 and trusted_proxies: #12535 😟

Caution: This library is compatible with PHP 5.2, therefore it is not namespaced.

https://github.com/rlanvin/php-ip/ not sure if this is a good choice 🤔

[johanfleury]

Oh crap. I did a search before making this PR but for some reason I didn't find this one.

It's your decision either you want to close this PR or not, but in my opinion, after taking a look at #12535, is that mine is simpler and does not rely on regex to parse IP addresses.

There's still a lot of work to do to improve this PR. Tell me if I should keep working on it.

[kesselb]

Lets ask @nextcloud/server-triage

[nickvergessen]

Well your solution depends on a 3rdparty lib instead or regex, im not sure which is better and also the lib might use regex too.

But I think the GMP dependency is the real killer here. But there is help:

server/apps/workflowengine/lib/Check/RequestRemoteAddress.php

Lines 121 to 153 in 954da26

	/**
	* Based on http://stackoverflow.com/a/7951507
	* @param string $ip
	* @param string $rangeIp
	* @param int $bits
	* @return bool
	*/
	protected function matchIPv6($ip, $rangeIp, $bits) {
	$ipNet = inet_pton($ip);
	$binaryIp = $this->ipv6ToBits($ipNet);
	$ipNetBits = substr($binaryIp, 0, $bits);
	$rangeNet = inet_pton($rangeIp);
	$binaryRange = $this->ipv6ToBits($rangeNet);
	$rangeNetBits = substr($binaryRange, 0, $bits);
	return $ipNetBits === $rangeNetBits;
	}
	/**
	* Based on http://stackoverflow.com/a/7951507
	* @param string $packedIp
	* @return string
	*/
	protected function ipv6ToBits($packedIp) {
	$unpackedIp = unpack('A16', $packedIp);
	$unpackedIp = str_split($unpackedIp[1]);
	$binaryIp = '';
	foreach ($unpackedIp as $char) {
	$binaryIp .= str_pad(decbin(ord($char)), 8, '0', STR_PAD_LEFT);
	}
	return str_pad($binaryIp, 128, '0', STR_PAD_RIGHT);
	}

We already have code that matches IPv4 and IPv6 addresses. I guess you can extract that to a new method which is then used by the workflow engine and the trusted domain code?

[MorrisJobke]

We already have code that matches IPv4 and IPv6 addresses. I guess you can extract that to a new method which is then used by the workflow engine and the trusted domain code?

That makes most sense. Thus I'm closing this PR.