Skip to content
Permalink
Browse files

Security: SQL-escape the return value of api_get_real_ip() as HTTP he…

…aders are vulnerable to remote tampering
  • Loading branch information...
ywarnier committed Apr 12, 2018
1 parent b358b8a commit 91888ab60459d13e478f0afbf8394f2189af9af9
Showing with 4 additions and 2 deletions.
  1. +1 −1 main/exercise/exercise.class.php
  2. +3 −1 main/inc/lib/api.lib.php
@@ -3036,7 +3036,7 @@ public function save_stat_track_exercise_info(
'orig_lp_item_id' => $safe_lp_item_id,
'orig_lp_item_view_id' => $safe_lp_item_view_id,
'exe_weighting' => $weight,
'user_ip' => api_get_real_ip(),
'user_ip' => Database::escape_string(api_get_real_ip()),
'exe_date' => api_get_utc_datetime(),
'exe_result' => 0,
'steps_counter' => 0,
@@ -1837,7 +1837,7 @@ function api_get_anonymous_id()
// Find if another anon is connected now
$table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_LOGIN);
$tableU = Database::get_main_table(TABLE_MAIN_USER);
$ip = api_get_real_ip();
$ip = Database::escape_string(api_get_real_ip());
$max = api_get_configuration_value('max_anonymous_users');
if ($max >= 2) {
$sql = "SELECT * FROM $table as TEL
@@ -7409,6 +7409,8 @@ function api_user_is_login($user_id = null)
* Guess the real ip for register in the database, even in reverse proxy cases.
* To be recognized, the IP has to be found in either $_SERVER['REMOTE_ADDR'] or
* in $_SERVER['HTTP_X_FORWARDED_FOR'], which is in common use with rproxies.
* Note: the result of this function is not SQL-safe. Please escape it before
* inserting in a database
*
* @return string the user's real ip (unsafe - escape it before inserting to db)
*

0 comments on commit 91888ab

Please sign in to comment.
You can’t perform that action at this time.