Haschek-Solutions/http2pic
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: block 0.0.0.0/8 in isPrivateIP to prevent loopback bypass

Browse Source
This commit is contained in:
Chris
2026-04-21 12:35:31 +02:00
parent 4ab30bcc1d
commit 6dc0001f9d
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/test_helpers.php
View File

@@ -26,6 +26,7 @@ check(isPrivateIP('169.254.169.254'), 'AWS metadata IP');
check(!isPrivateIP('8.8.8.8'), 'Google DNS is public');
check(!isPrivateIP('93.184.216.34'), 'example.com IP is public');
check(isPrivateIP('not-an-ip'), 'unparseable IP blocked');
check(isPrivateIP('0.0.0.0'), '0.0.0.0 blocked (routes to loopback)');
// --- getUserIP ---
unset($_SERVER['HTTP_CLIENT_IP']);