Pingback Denial of Service Fix - filter_var based IP validation

[hakre]

Just a small improvement upon review of [23330] (some points were not clear to me, especially colons in hostnames and trimming of the hostnames for dots; left them as-is).

Also used strcasecmp.

BTW, what about #4137, can it be closed now?

This was an SSRF fix, not directly a DoS fix. #4137 remains valid.

I generally just opt for what was done here, but sure, strcasecmp() is fine.

filter_var() was deliberately avoided because it has numerous bugs in 5.2.x and 5.3.x, in particular IDN domains but other bugs (IIRC) as well.

Colons in hostnames and trimming the hostname for dots were both deliberate. I'll publicly commit our extensive unit tests in the near future.

At a glance , your isset() appears proper.

In the future, if you have specific questions about a security fix, you can also email security@…, in case you have found something sensitive in nature.

Yes, the isset was missing too, forgot to mention. filter_var worked well for my tests, I still can run more tests against PHP 5.2, but I would need to know into which concrete bugs you run, especially with IPv4 validating which is used in the patch. I did not found any issues so far.