From fc42243ec27f3aac757dacab23c84f3c61653467 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Sun, 30 Jul 2023 23:57:03 +0200
Subject: [PATCH] Use is_global checks from Rust ipaddr crate

---
 src/api/client_server/media.rs | 44 +++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/src/api/client_server/media.rs b/src/api/client_server/media.rs
index c6381183..eb7298e0 100644
--- a/src/api/client_server/media.rs
+++ b/src/api/client_server/media.rs
@@ -103,18 +103,50 @@ fn url_request_allowed(addr: &IpAddr) -> bool {
     // could be implemented with reqwest when it supports IP filtering:
     // https://github.com/seanmonstar/reqwest/issues/1515
 
-    // TODO: simplify to .is_global() when it has been stabilized
+    // These checks have been taken from the Rust core/net/ipaddr.rs crate,
+    // IpAddr::V4.is_global() and IpAddr::V6.is_global(), as .is_global is not
+    // yet stabilized. TODO: Once this is stable, this match can be simplified.
     match addr {
         IpAddr::V4(ip4) => {
-            !(ip4.is_private()
+            !(ip4.octets()[0] == 0 // "This network"
+                || ip4.is_private()
+                || (ip4.octets()[0] == 100 && (ip4.octets()[1] & 0b1100_0000 == 0b0100_0000)) // is_shared()
                 || ip4.is_loopback()
                 || ip4.is_link_local()
-                || ip4.is_multicast()
-                || ip4.is_broadcast()
+                // addresses reserved for future protocols (`192.0.0.0/24`)
+                || (ip4.octets()[0] == 192 && ip4.octets()[1] == 0 && ip4.octets()[2] == 0)
                 || ip4.is_documentation()
-                || ip4.is_unspecified())
+                || (ip4.octets()[0] == 198 && (ip4.octets()[1] & 0xfe) == 18) // is_benchmarking()
+                || (ip4.octets()[0] & 240 == 240 && !ip4.is_broadcast()) // is_reserved()
+                || ip4.is_broadcast())
+        }
+        IpAddr::V6(ip6) => {
+            !(ip6.is_unspecified()
+                || ip6.is_loopback()
+                // IPv4-mapped Address (`::ffff:0:0/96`)
+                || matches!(ip6.segments(), [0, 0, 0, 0, 0, 0xffff, _, _])
+                // IPv4-IPv6 Translat. (`64:ff9b:1::/48`)
+                || matches!(ip6.segments(), [0x64, 0xff9b, 1, _, _, _, _, _])
+                // Discard-Only Address Block (`100::/64`)
+                || matches!(ip6.segments(), [0x100, 0, 0, 0, _, _, _, _])
+                // IETF Protocol Assignments (`2001::/23`)
+                || (matches!(ip6.segments(), [0x2001, b, _, _, _, _, _, _] if b < 0x200)
+                    && !(
+                        // Port Control Protocol Anycast (`2001:1::1`)
+                        u128::from_be_bytes(ip6.octets()) == 0x2001_0001_0000_0000_0000_0000_0000_0001
+                        // Traversal Using Relays around NAT Anycast (`2001:1::2`)
+                        || u128::from_be_bytes(ip6.octets()) == 0x2001_0001_0000_0000_0000_0000_0000_0002
+                        // AMT (`2001:3::/32`)
+                        || matches!(ip6.segments(), [0x2001, 3, _, _, _, _, _, _])
+                        // AS112-v6 (`2001:4:112::/48`)
+                        || matches!(ip6.segments(), [0x2001, 4, 0x112, _, _, _, _, _])
+                        // ORCHIDv2 (`2001:20::/28`)
+                        || matches!(ip6.segments(), [0x2001, b, _, _, _, _, _, _] if b >= 0x20 && b <= 0x2F)
+                    ))
+                || ((ip6.segments()[0] == 0x2001) && (ip6.segments()[1] == 0xdb8)) // is_documentation()
+                || ((ip6.segments()[0] & 0xfe00) == 0xfc00) // is_unique_local()
+                || ((ip6.segments()[0] & 0xffc0) == 0xfe80)) // is_unicast_link_local
         }
-        IpAddr::V6(ip6) => !(ip6.is_loopback() || ip6.is_multicast() || ip6.is_unspecified()),
     }
 }