ipaddress=:: unexpectedly matches IPv4-mapped IPv6 addresses

[0f-0b]

Prerequisites

• I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
• This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• The issue is not present after disabling uBO in the browser.
• I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• uBO is the only extension.
• uBO uses default lists and settings.
• using a new, unmodified browser profile.

Description

The “uBlock filters – Privacy” list contains the following filter, intended to prevent access to the unspecified address ::/128.

*$all,ipaddress=::,domain=~0.0.0.0|~127.0.0.1|~[::1]|~[::]|~local|~localhost

However, IPv4-mapped addresses ::ffff:0:0/96 also happen to be blocked by this filter.

A specific URL where the issue occurs.

https://[::ffff:14cd:f3a6]/

Steps to Reproduce

1. Enable the “uBlock filters – Privacy” list or manually add said filter.
2. Visit https://[::ffff:14cd:f3a6]/.

Expected behavior

The page loads. The browser may warn about the certificate being invalid.

Actual behavior

The page is blocked by this extension.

uBO version

1.59.1rc1

Browser name and version

Firefox 131.0b7

Operating System and version

macOS 14.6.1

[gorhill]

@stephenhawk8054 The latest syntax for ipaddress= values which are not regex is "starts with", so :: ended up matching all IPv6 addresses starting with ::, which is a lot. For now I converted the value to a regex.

I chose the "starts with" approach because this makes it more convenient for IPv4 addresses, but obviously it's not working well for IPv6 addresses. We will need to agree on a syntax which is a good balance between convenience while keeping the implementation straightforward.

[stephenhawk8054]

Ah right. I forgot ipv6 has more problems with startsWith. Actually ipv4 can have issue too, 149.34.253.24 can end up matching more than expected. And might end up in using regex a lot.

Maybe a hint like

ipaddress=startsWith ::,domain=
ipaddress=startsWith 149.34.253.24,domain=

to signal using startsWith. If there's no =startsWith , match exactly?

[gorhill]

I will go with wildcard at the end, i.e. ::* for anything starting with ::, and :: for exact match.

[stephenhawk8054]

Wildcard is a good idea 👍

[garry-ut99]

Small note: the above commit has been forgotten to be mentioned in release changelog

[gorhill]

I don't mention commits which are not of interest to stable release. ipaddress= didn't exist in previous stable release, so a fix/change to an newly introduced option not yet in stable is of no interest. People who want to know all the details can browse all commits since last stable release.

[stephenhawk8054]

Confirm it's fixed in 1.59.1rc5.