From 8e234dc241ed40ec67fabd0c951b3ea61c45321c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 18 Oct 2024 08:57:04 +0200
Subject: [PATCH] library / Firewall\Util::isIPInCIDR extend sanity checks,
 closes https://github.com/opnsense/core/pull/7978

The existing sanity checks only prevented a non-ip address from being accepted, but ignored the fact a netmaskt might either be faulty or of a different ip familily.
This commit extends the test to the cidr part and ip family.
---
 .../mvc/app/library/OPNsense/Firewall/Util.php         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
index 708b30fd8..95e82b613 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
@@ -407,15 +407,15 @@ class Util
      */
     public static function isIPInCIDR($ip, $cidr)
     {
-        if (!self::isIpAddress($ip)) {
+        if (!self::isIpAddress($ip) || !self::isSubnet($cidr)) {
             return false;
-        }
-
-        if (str_contains($ip, ':')) {
+        } elseif (str_contains($ip, ':') && str_contains($cidr, ':')) {
             return self::isIPv6InCIDR($ip, $cidr);
+        } elseif (!str_contains($ip, ':') && !str_contains($cidr, ':')) {
+            return self::isIPv4InCIDR($ip, $cidr);
         }
+        return false;
 
-        return self::isIPv4InCIDR($ip, $cidr);
     }
 
     /**