Fixed Searching user's by IP ranges can return IPv4 and IPv6

[Xon]

Affected version

2.1.1

In XF\Repository\Ip::getUsersByIpRange, for a suitable large lower and upperbound, a both IPv4 and IPv6 can potentially be returned. Except returning both address formats doesn't make sense from a networking perspective.

As lowerBound/upperBound should be fixed size IPv4 or IPv6 binary strings; adding a length check should be enough, ie;

  public function getUsersByIpRange($lowerBound, $upperBound)
  {
      $ips = $this->db()->fetchAllKeyed("
   SELECT user_id,
      GROUP_CONCAT(DISTINCT ip ORDER BY ip SEPARATOR '  ') AS ips,
      MIN(log_date) AS first_date,
      MAX(log_date) AS last_date,
      COUNT(*) AS total
   FROM xf_ip
   WHERE ip >= ? AND ip <= ? AND LENGTH(ip) = ?
   GROUP BY user_id
", 'user_id', [$lowerBound, $upperBound, strlen($lowerBound)]);
...

 

[XF Bug Bot]

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.2).

Change log:

Constrain user IP searches by length to ensure IP versions aren't mixed.

Any changes made as a result of this issue being resolved may not be rolled out here until later.