Multiple reverse proxy IPs in $_SERVER['HTTP_X_FORWARDED_FOR'] (#4007)

* ignore intellij file

* Added a check for multiple IPs stored in HTTP_X_FORWARDED_FOR header

.gitignore

@@ -17,6 +17,7 @@ $RECYCLE.BIN/
 
 # PhpStorm
 .idea
+Easy-Digital-Downloads.iml
 
 # Eclipse
 *.pydevproject

includes/misc-functions.php

@@ -169,7 +169,9 @@ function edd_get_ip() {
 		$ip = $_SERVER['HTTP_CLIENT_IP'];
 	} elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
 		//to check ip is pass from proxy
-		$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+		// can include more than 1 ip, first is the public one
+		$ip = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
+		$ip = trim($ip[0]);
 	} elseif( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
 		$ip = $_SERVER['REMOTE_ADDR'];
 	}

tests/tests-misc.php

@@ -57,6 +57,19 @@ public function test_get_ip() {
 		$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
 	}
 
+	public function test_get_ip_reverse_proxies() {
+		$_SERVER['HTTP_X_FORWARDED_FOR'] = '123.123.123.123, 10.0.0.2';
+		$this->assertEquals( '123.123.123.123', edd_get_ip() );
+		unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+	}
+
+	public function test_get_ip_reverse_proxy() {
+		$_SERVER['HTTP_X_FORWARDED_FOR'] = '123.123.123.123';
+		$this->assertEquals( '123.123.123.123', edd_get_ip() );
+		unset($_SERVER['HTTP_X_FORWARDED_FOR']);
+	}
+
+
 	public function test_get_currencies() {
 		$expected = array(
 			'USD'  => __( 'US Dollars ($)', 'easy-digital-downloads' ),