Merge pull request #14152 from nextcloud/backport/14149/stable14

[stable14] Fix the thorrtler whitelist bitmask
nextcloud · Feb 12, 2019 · 0ff8c30 · 0ff8c30
2 parents 7192688 + cb0b6ce
commit 0ff8c30
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
@@ -177,8 +177,10 @@ private function isIPWhitelisted($ip) {
 				$part = ord($addr[(int)($i/8)]);
 				$orig = ord($ip[(int)($i/8)]);
 
-				$part = $part & (15 << (1 - ($i % 2)));
-				$orig = $orig & (15 << (1 - ($i % 2)));
+				$bitmask = 1 << (7 - ($i % 8));
+
+				$part = $part & $bitmask;
+				$orig = $orig & $bitmask;
 
 				if ($part !== $orig) {
 					$valid = false;

diff --git a/tests/lib/Security/Bruteforce/ThrottlerTest.php b/tests/lib/Security/Bruteforce/ThrottlerTest.php
@@ -100,6 +100,27 @@ public function dataIsIPWhitelisted() {
 				],
 				true,
 			],
+			[
+				'10.10.10.10',
+				[
+					'whitelist_0' => '10.10.10.11/31',
+				],
+				true,
+			],
+			[
+				'10.10.10.10',
+				[
+					'whitelist_0' => '10.10.10.9/31',
+				],
+				false,
+			],
+			[
+				'10.10.10.10',
+				[
+					'whitelist_0' => '10.10.10.15/29',
+				],
+				true,
+			],
 			[
 				'dead:beef:cafe::1',
 				[
@@ -127,6 +148,14 @@ public function dataIsIPWhitelisted() {
 				],
 				true,
 			],
+			[
+				'dead:beef:cafe::1111',
+				[
+					'whitelist_0' => 'dead:beef:cafe::1100/123',
+
+				],
+				true,
+			],
 			[
 				'invalid',
 				[],