From cb0b6cedd1a19f205134bf2b84698cd74e9f7428 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Mon, 11 Feb 2019 23:22:20 +0100 Subject: [PATCH] Fix the thorrtler whitelist bitmask Before we actually didn't check each bit of the bitmask. Now we do. Signed-off-by: Roeland Jago Douma --- lib/private/Security/Bruteforce/Throttler.php | 6 ++-- .../lib/Security/Bruteforce/ThrottlerTest.php | 29 +++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php index 3282121d96780..ec56b4f7ee260 100644 --- a/lib/private/Security/Bruteforce/Throttler.php +++ b/lib/private/Security/Bruteforce/Throttler.php @@ -177,8 +177,10 @@ private function isIPWhitelisted($ip) { $part = ord($addr[(int)($i/8)]); $orig = ord($ip[(int)($i/8)]); - $part = $part & (15 << (1 - ($i % 2))); - $orig = $orig & (15 << (1 - ($i % 2))); + $bitmask = 1 << (7 - ($i % 8)); + + $part = $part & $bitmask; + $orig = $orig & $bitmask; if ($part !== $orig) { $valid = false; diff --git a/tests/lib/Security/Bruteforce/ThrottlerTest.php b/tests/lib/Security/Bruteforce/ThrottlerTest.php index dac12a00dcdb6..da386db9d2d9b 100644 --- a/tests/lib/Security/Bruteforce/ThrottlerTest.php +++ b/tests/lib/Security/Bruteforce/ThrottlerTest.php @@ -100,6 +100,27 @@ public function dataIsIPWhitelisted() { ], true, ], + [ + '10.10.10.10', + [ + 'whitelist_0' => '10.10.10.11/31', + ], + true, + ], + [ + '10.10.10.10', + [ + 'whitelist_0' => '10.10.10.9/31', + ], + false, + ], + [ + '10.10.10.10', + [ + 'whitelist_0' => '10.10.10.15/29', + ], + true, + ], [ 'dead:beef:cafe::1', [ @@ -127,6 +148,14 @@ public function dataIsIPWhitelisted() { ], true, ], + [ + 'dead:beef:cafe::1111', + [ + 'whitelist_0' => 'dead:beef:cafe::1100/123', + + ], + true, + ], [ 'invalid', [],