On Fri, 20 Mar 2026 at 18:49:29 +0100, Guilhem Moulin wrote:
>> Upstream's solution for the last issue adds a new runtime dependency
>> mlocati/ip-lib ≥1.22
>> which unfortunately is not in Debian yet. I can upload it to sid as
>> part of the PEAR team, but older suites will need another solution.
>
> On second thought there is some value in having the workaround in sid
> too, at least for now (in case there would be regressions). Here is the
> PHP-native alternative I came up with:
>
> https://salsa.debian.org/roundcube-team/roundcube/-/blob/debian/latest/debian/patches/Avoid-dependency-on-new-package-mlocati-ip-lib.patch
There are issues with this solution.
Leading zeros in IPv4 octets yield an invalid address so for instance
is_local_url('http://127.00.01.001') returns false, but GuzzleHTTP
sanitizes the input and happily queries 127.0.1.1. AFAICT
mlocati/ip-lib does sanitize the input too so the upstream solution is
not affected.
IPv4-mapped (and IPv4-compatible) IPv6s are not checked for, so
is_local_url('http://[::ffff:127.0.0.1]') returns false. This means an
attacker could trivially evade the mitigation by using IPv4-mapped
addresses. AFAICT the upstream fix is affected too; I'll bring the
issue to their attention.
--
Guilhem.
