From 27b6ca44ef25bd2b5f40e6a812ca9f3f3f26ae83 Mon Sep 17 00:00:00 2001
From: geoffdutton <g.dutton@gmail.com>
Date: Thu, 22 Jun 2017 16:54:47 -0500
Subject: [PATCH] Multiple reverse proxy IPs in
 $_SERVER['HTTP_X_FORWARDED_FOR'] (#4007)

* ignore intellij file

* Added a check for multiple IPs stored in HTTP_X_FORWARDED_FOR header
---
 .gitignore                  |  1 +
 includes/misc-functions.php |  4 +++-
 tests/tests-misc.php        | 13 +++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index e17768d5369..3c0fef7bd26 100755
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,7 @@ $RECYCLE.BIN/
 
 # PhpStorm
 .idea
+Easy-Digital-Downloads.iml
 
 # Eclipse
 *.pydevproject
diff --git a/includes/misc-functions.php b/includes/misc-functions.php
index 1e5cc41feb2..f26ca233558 100755
--- a/includes/misc-functions.php
+++ b/includes/misc-functions.php
@@ -169,7 +169,9 @@ function edd_get_ip() {
 		$ip = $_SERVER['HTTP_CLIENT_IP'];
 	} elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
 		//to check ip is pass from proxy
-		$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+		// can include more than 1 ip, first is the public one
+		$ip = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
+		$ip = trim($ip[0]);
 	} elseif( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
 		$ip = $_SERVER['REMOTE_ADDR'];
 	}
diff --git a/tests/tests-misc.php b/tests/tests-misc.php
index e615f375ec0..d46e525f328 100755
--- a/tests/tests-misc.php
+++ b/tests/tests-misc.php
@@ -57,6 +57,19 @@ public function test_get_ip() {
 		$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
 	}
 
+	public function test_get_ip_reverse_proxies() {
+		$_SERVER['HTTP_X_FORWARDED_FOR'] = '123.123.123.123, 10.0.0.2';
+		$this->assertEquals( '123.123.123.123', edd_get_ip() );
+		unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+	}
+
+	public function test_get_ip_reverse_proxy() {
+		$_SERVER['HTTP_X_FORWARDED_FOR'] = '123.123.123.123';
+		$this->assertEquals( '123.123.123.123', edd_get_ip() );
+		unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+	}
+
+
 	public function test_get_currencies() {
 		$expected = array(
 			'USD'  => __( 'US Dollars (&#36;)', 'easy-digital-downloads' ),