SEC-1733: Support explicit zero netmask correctly.

15 years ago · 977da0da1f
2 changed files with 31 additions and 5 deletions
--- a/web/src/main/java/org/springframework/security/web/util/IpAddressMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/IpAddressMatcher.java
@ -17,7 +17,7 @@ import org.springframework.util.StringUtils;
				@@ -17,7 +17,7 @@ import org.springframework.util.StringUtils;
 * @author Luke Taylor
 * @since 3.0.2
 */
-public class IpAddressMatcher implements RequestMatcher {
+public final class IpAddressMatcher implements RequestMatcher {
    private final int nMaskBits;
    private final InetAddress requiredAddress;

@ -34,19 +34,23 @@ public class IpAddressMatcher implements RequestMatcher {
				@@ -34,19 +34,23 @@ public class IpAddressMatcher implements RequestMatcher {
            ipAddress = addressAndMask[0];
            nMaskBits = Integer.parseInt(addressAndMask[1]);
        } else {
-            nMaskBits = 0;
+            nMaskBits = -1;
        }
        requiredAddress = parseAddress(ipAddress);
    }

    public boolean matches(HttpServletRequest request) {
-        InetAddress remoteAddress = parseAddress(request.getRemoteAddr());
+        return matches(request.getRemoteAddr());
+    }
+
+    public boolean matches(String address) {
+        InetAddress remoteAddress = parseAddress(address);

        if (!requiredAddress.getClass().equals(remoteAddress.getClass())) {
            return false;
        }

-        if (nMaskBits == 0) {
+        if (nMaskBits < 0) {
            return remoteAddress.equals(requiredAddress);
        }

--- a/web/src/test/java/org/springframework/security/web/util/IpAddressMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/IpAddressMatcherTests.java
@ -28,7 +28,6 @@ public class IpAddressMatcherTests {
				@@ -28,7 +28,6 @@ public class IpAddressMatcherTests {
        assertTrue(v6matcher.matches(ipv6Request));
    }

-
    @Test
    public void ipv6MatcherDoesntMatchIpv4Address() {
        assertFalse(v6matcher.matches(ipv4Request));
@ -48,4 +47,27 @@ public class IpAddressMatcherTests {
				@@ -48,4 +47,27 @@ public class IpAddressMatcherTests {
        ipv4Request.setRemoteAddr("192.168.1.159"); // 159 = 0x9f
        assertTrue(matcher.matches(ipv4Request));
    }
+
+    @Test
+    public void ipv6RangeMatches() throws Exception {
+        IpAddressMatcher matcher = new IpAddressMatcher("2001:DB8::/48");
+
+        assertTrue(matcher.matches("2001:DB8:0:0:0:0:0:0"));
+        assertTrue(matcher.matches("2001:DB8:0:0:0:0:0:1"));
+        assertTrue(matcher.matches("2001:DB8:0:FFFF:FFFF:FFFF:FFFF:FFFF"));
+        assertFalse(matcher.matches("2001:DB8:1:0:0:0:0:0"));
+    }
+
+    // SEC-1733
+    @Test
+    public void zeroMaskMatchesAnything() throws Exception {
+        IpAddressMatcher matcher = new IpAddressMatcher("0.0.0.0/0");
+
+        assertTrue(matcher.matches("123.4.5.6"));
+        assertTrue(matcher.matches("192.168.0.159"));
+
+        matcher = new IpAddressMatcher("192.168.0.159/0");
+        assertTrue(matcher.matches("123.4.5.6"));
+        assertTrue(matcher.matches("192.168.0.159"));
+    }
 }