IPv6 rules cause logging of warnings when nextcloud is accessed via IPv4 #96
Description
How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Steps to reproduce
- Add a 'Block access to a file' flow.
- Add a 'Request remote address' 'does not match IPv6' rule to the flow.
- Access nextcloud via IPv4.
Expected behaviour
No excessive logging.
Actual behaviour
unpack(): Type A: not enough input, need 16, have 4 at /var/www/nextcloud/apps/workflowengine/lib/Check/RequestRemoteAddress.php#115
and
Trying to access array offset on value of type bool at /var/www/nextcloud/apps/workflowengine/lib/Check/RequestRemoteAddress.php#116
is logged repeatedly at level 2/warning. Log viewer becomes unusable.
Server configuration
Web server: Nginx
Database: PostgreSQL
PHP version: 8.2.28
Nextcloud version: 31.0.7.1
My suggestions
Looking at /var/www/nextcloud/apps/workflowengine/lib/Check/RequestRemoteAddress.php, I don't see any check whether the address actually is an IPv6 address before ipv6ToBits is called. Adding a check between the two lines
$ipNet = inet_pton($ip);
$binaryIp = $this->ipv6ToBits($ipNet);
in matchIPv6 and return false when it isn't an IPv6 address will likely fix the issue.
A bit unrelated to this I found that the code copied from stackoverflow for the ipv6ToBits method had an error and was corrected in the mean time. The unnecessary unpack will truncate IPv6 addresses that contain a 0x20 byte.