starred/LookingGlass
1
0
Fork 0
mirror of https://github.com/telephone/LookingGlass.git synced 2026-04-24 23:46:02 +03:00
Code Issues 25 Projects Releases Packages Wiki Activity

[GH-ISSUE #48] RFC1918 space not failing validation #31

New issue
Open
opened 2026-02-28 00:40:14 +03:00 by kerem · 0 comments
kerem commented 2026-02-28 00:40:14 +03:00
Owner
Copy link

Originally created by @the-ercules on GitHub (Jul 24, 2018).
Original GitHub issue: https://github.com/telephone/LookingGlass/issues/48

Based on the code in LookingGlass.php, part of the validation process is to reject RFC1918 (private, ex 10.x.x.x. 192.168.x.x, etc.) IP space, but after the validIP function fails, an IP address can be allowed through the validURL function. I added some code in the validURL function to catch an IP address that sneaks through the validIP function. Only a private IP would get this far, so any IP address is rejected.

private function validUrl($url)
{
    // check for http
    if (stripos($url, 'http') === false) {
        $url = 'http://' . $url;
    }
    // validate url
    if (filter_var($url, FILTER_VALIDATE_URL)) {
        // parse url for host
        if ($host = parse_url($url, PHP_URL_HOST)) {
            //check if an IP address made it this far and fail validation (useful for filtering out private space)
            if (filter_var($host, FILTER_VALIDATE_IP)) {
                return false;
            }
            //otherwise return just the host (not full url)
            return $host;
        }
        return $url;
    }
    return false;
}
Originally created by @the-ercules on GitHub (Jul 24, 2018). Original GitHub issue: https://github.com/telephone/LookingGlass/issues/48 Based on the code in LookingGlass.php, part of the validation process is to reject RFC1918 (private, ex 10.x.x.x. 192.168.x.x, etc.) IP space, but after the validIP function fails, an IP address can be allowed through the validURL function. I added some code in the validURL function to catch an IP address that sneaks through the validIP function. Only a private IP would get this far, so any IP address is rejected. private function validUrl($url) { // check for http if (stripos($url, 'http') === false) { $url = 'http://' . $url; } // validate url if (filter_var($url, FILTER_VALIDATE_URL)) { // parse url for host if ($host = parse_url($url, PHP_URL_HOST)) { //check if an IP address made it this far and fail validation (useful for filtering out private space) if (filter_var($host, FILTER_VALIDATE_IP)) { return false; } //otherwise return just the host (not full url) return $host; } return $url; } return false; }
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dev
v1.3.0
v1.2.0
v1.1.0
v1.0.0
Labels
Clear labels   
enhancement

   
enhancement

   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

  
v1
No labels
enhancement
enhancement
enhancement
pull-request
v1
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/LookingGlass#31
No description provided.