diff options
| author | Nils Adermann <naderman@naderman.de> | 2011-06-10 00:53:38 +0200 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2011-06-10 00:53:38 +0200 |
| commit | ca1944ebe2ca5a5641f9a3656382abeb5d6bae56 (patch) | |
| tree | 45cfd6b5343617dd0d586a8a15619559a60fec41 /phpBB/includes/session.php | |
| parent | 735cae076a2b2814e40dda08b5f4dacf0b408345 (diff) | |
| parent | cdfbd82504c5433241f83de28e1c9567b2f98b4a (diff) | |
| download | forums-ca1944ebe2ca5a5641f9a3656382abeb5d6bae56.tar forums-ca1944ebe2ca5a5641f9a3656382abeb5d6bae56.tar.gz forums-ca1944ebe2ca5a5641f9a3656382abeb5d6bae56.tar.bz2 forums-ca1944ebe2ca5a5641f9a3656382abeb5d6bae56.tar.xz forums-ca1944ebe2ca5a5641f9a3656382abeb5d6bae56.zip | |
Merge branch 'develop-olympus' into develop
* develop-olympus:
[ticket/9802] Remove unnecessary htmlspecialchars() call on REMOTE_ADDR.
[ticket/9802] Only check for IPv4-mapped address when address is IPv6.
[ticket/9802] Fix tiny logic bug in loop determining REMOTE_ADDR.
[ticket/9802] Remove redundant character class definition from preg_replace.
[ticket/9802] Fix redundant str_replace call. No need to replace ' ' with ' '.
Conflicts:
phpBB/includes/session.php
Diffstat (limited to 'phpBB/includes/session.php')
| -rw-r--r-- | phpBB/includes/session.php | 41 |
1 files changed, 23 insertions, 18 deletions
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 0edc8bfc2f..6d6bd35f3f 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -222,7 +222,7 @@ class session // if the forwarded for header shall be checked we have to validate its contents if ($config['forwarded_for_check']) { - $this->forwarded_for = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->forwarded_for)); + $this->forwarded_for = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->forwarded_for)); // split the list of IPs $ips = explode(' ', $this->forwarded_for); @@ -268,11 +268,11 @@ class session // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. - $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : ''; - $this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip)); + $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : ''; + $this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip)); // split the list of IPs - $ips = explode(' ', $this->ip); + $ips = explode(' ', trim($this->ip)); // Default IP if REMOTE_ADDR is invalid $this->ip = '127.0.0.1'; @@ -297,26 +297,31 @@ class session continue; } - // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly - if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip)) + if (preg_match(get_preg_expression('ipv4'), $ip)) { - // Just break - break; + $this->ip = $ip; } - - // Quick check for IPv4-mapped address in IPv6 - if (stripos($ip, '::ffff:') === 0) + else if (preg_match(get_preg_expression('ipv6'), $ip)) { - $ipv4 = substr($ip, 7); - - if (preg_match(get_preg_expression('ipv4'), $ipv4)) + // Quick check for IPv4-mapped address in IPv6 + if (stripos($ip, '::ffff:') === 0) { - $ip = $ipv4; + $ipv4 = substr($ip, 7); + + if (preg_match(get_preg_expression('ipv4'), $ipv4)) + { + $ip = $ipv4; + } } - } - // Use the last in chain - $this->ip = $ip; + $this->ip = $ip; + } + else + { + // We want to use the last valid address in the chain + // Leave foreach loop when address is invalid + break; + } } $this->load = false; |