blob: 52526e9f4f6ba0fdce98ef5e7d8481ac7d96faec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
$NetBSD: patch-ae,v 1.1.2.2 2011/01/08 15:01:11 tron Exp $
* Prevent the X_FORWARDED_FOR header against XSS attacks, from repository r587.
--- system/libraries/Environment.php.orig 2010-04-12 15:52:19.000000000 +0000
+++ system/libraries/Environment.php
@@ -312,7 +312,11 @@ class Environment
*/
protected function ip()
{
- return !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
+ if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match('/^[A-Fa-f0-9, \.\:]+$/', $_SERVER['HTTP_X_FORWARDED_FOR']))
+ {
+ return $_SERVER['HTTP_X_FORWARDED_FOR'];
+ }
+ return $_SERVER['REMOTE_ADDR'];
}
|
