icanhazip.com broken on ipv4 IP updates

Question

icanhazip.com broken on ipv4 IP updates

reaperhulk opened this issue 4 months ago · comments

It appears that Cloudflare (who hosts icanhazip.com) recently updated their Set-Cookie headers to include a substring that matches the IPv4 regex. This is not always present as of this writing, but the vast majority of responses include it.

Example response:

RECEIVE:  Set-Cookie: __cf_bm=2xnVOVFwaGV_.05NtWe659KpXPz8R5ZvmGa5wjiWX_U-1709330132-1.0.1.1-cXaXzBbLD.ZvArvSQmhhU3Z3cH_Fss4F..Yy3Kp1tkUXG0Kcql5NZTELMCYc0yKsCaoZ7rbRZr3e7.0zcgwOXw; path=/; expires=Fri, 01-Mar-24 22:25:32 GMT; domain=.icanhazip.com; HttpOnly; SameSite=None

Since the extract_ipv4 function searches for the "first valid IPv4 address in the given string" and the string includes the headers, this causes it to set the IP to 1.0.1.1 rather than the returned value in the body of the HTTP response.

IPv6 is unaffected since the regex doesn't match, but the same potential for future issues is present.

Lenard Hess · Answer 1 · Sat Mar 02 2024 19:37:00 GMT+0800 (China Standard Time)

One way to work around this is using the web-skip parameter to skip part of the reply. I tried setting it to \n\n to skip the HTTP headers and it worked for me:

$ ddclient -query -web ipv4.icanhazip.com -web-skip='\n\n'
----- Test_possible_ip with 'get_ip' -----
...
use=web, web=ipv4.icanhazip.com address is 84.xxx.xxx.xxx
...

It might make sense to change the default skip value to that. I'd assume most IP querying sites will return the IP in the HTTP body, not the headers - and IPs in headers could always happen.

taumataa · Answer 2 · Sun Mar 03 2024 13:23:08 GMT+0800 (China Standard Time)

Thank you for that @LenardHess
Would I need to modify the /etc/ddclient.conf file to apply this solution and if so, what would I need to modify?
I've added web-skip to the following line to no avail:
use=web, web=https://ipv4.icanhazip.com, web-skip='\n\n'

Matt · Answer 3 · Tue Mar 05 2024 01:17:11 GMT+0800 (China Standard Time)

Thank you for that @LenardHess Would I need to modify the /etc/ddclient.conf file to apply this solution and if so, what would I need to modify? I've added web-skip to the following line to no avail: use=web, web=https://ipv4.icanhazip.com, web-skip='\n\n'

I couldn't get this to work with the ddclient.conf file, so ended up swapping to use https://api.ipify.org/ instead;

use=web, web=api.ipify.org

Spencer Hughes · Answer 4 · Tue Mar 05 2024 12:01:58 GMT+0800 (China Standard Time)

I just wanted to chime in and say that I also experienced this issue; it gave me a tiny heart attack because 1.0.1.1 seems to be a Chinese IP and I'd thought my security had been compromised.

DMBuce · Answer 5 · Thu Mar 07 2024 02:13:45 GMT+0800 (China Standard Time)

Would I need to modify the /etc/ddclient.conf file to apply this solution and if so, what would I need to modify?

I was able to add web-skip to ddclient.conf by escaping the backslashes:

use=web
web=https://icanhazip.com
web-skip='\\n\\n'

jpsimard-nyx · Answer 6 · Wed May 08 2024 01:25:02 GMT+0800 (China Standard Time)

I prefer handling the content directly rather than relying on potentially volatile patterns in this scenario :

use=cmd, cmd='curl -fs https://ipv4.icanhazip.com'