Permalink
Browse files

Merge pull request #2671 from janisto/user_host_address

Fix #2670
  • Loading branch information...
2 parents 70e92c1 + dbe3511 commit e8ba2d5817803d331d1afd59b478b3ec2dc5c727 @cebe cebe committed Jan 28, 2014
Showing with 8 additions and 1 deletion.
  1. +1 −0 CHANGELOG
  2. +7 −1 framework/web/CHttpRequest.php
View
1 CHANGELOG
@@ -65,6 +65,7 @@ Version 1.1.15 under development
- Enh #3115: Updated phpdoc for better code completion in modern IDEs (samdark)
- Enh #3147: Updated Request::getIsSecureConnection() to work with lower and uppercase config values (cebe)
- Enh #3182: Added namespace support for controllers in subdirectories (Ekstazi, samdark)
+- Enh #2670: Validate IP address in getUserHostAddress() (janisto)
- Chg #3137: Upgraded HTMLPurifier to 4.6.0 (samdark)
- New #2955: Added official support for MariaDB (cebe, DaSourcerer)
View
8 framework/web/CHttpRequest.php
@@ -720,7 +720,13 @@ public function getUserAgent()
*/
public function getUserHostAddress()
{
- return isset($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:'127.0.0.1';
+ $ip=isset($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:'127.0.0.1';
+ if(version_compare(PHP_VERSION,'5.2.0')>=0)
+ if(filter_var($ip,FILTER_VALIDATE_IP,FILTER_FLAG_NO_PRIV_RANGE|FILTER_FLAG_NO_RES_RANGE)!==false)
+ return $ip;
+ else
+ return $ip;
+ return '127.0.0.1';
}
/**

0 comments on commit e8ba2d5

Please sign in to comment.