bug #937 Properly lock down app_dev.php (phihag)

This PR was submitted for the master branch but it was merged into the 2.7 branch instead (closes #937).

Discussion
----------

Properly lock down app_dev.php

Currently, web/app_dev.php in the symfony-standard package limits requests to those coming from CLI and unproxied localhost.

This prevents an attacker to execute this file in a production environment.

IPv4 localhost requests can come from 127.0.0.0/8, so the current check is actually a little bit too restrictive, but safe.

IPv6 localhost requests come from ::1/128.

The address fe80::1, however, is a link-local IPv6 address like any other. Anyone in the local network can take it and communicate with it. Therefore, it does not belong here.

Commits
-------

f63bbbf Properly lock down app_dev.php

Author: fabpot

web/app_dev.php

@@ -12,7 +12,7 @@
 // Feel free to remove this, extend it, or make something more sophisticated.
 if (isset($_SERVER['HTTP_CLIENT_IP'])
     || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
-    || !(in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1')) || php_sapi_name() === 'cli-server')
+    || !(in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', '::1')) || php_sapi_name() === 'cli-server')
 ) {
     header('HTTP/1.0 403 Forbidden');
     exit('You are not allowed to access this file. Check '.basename(__FILE__).' for more information.');