Changed WebRequest::getRawIP to check for values of
$_SERVER['REMOTE_ADDR'] that are either an array
or a comma separated list of IP addresses, and throw
an exception.
Original patch by Ilmari Karonen. Adapted from original
patch to work with newer MediaWiki version.
Change-Id: I4b3c56adf46b336c5032db3f2a1e621c873f0d83
* @return String
*/
protected function getRawIP() {
- if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
- return IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
- } else {
+ if ( !isset( $_SERVER['REMOTE_ADDR'] ) ) {
return null;
}
+
+ if ( is_array( $_SERVER['REMOTE_ADDR'] ) || strpos( $_SERVER['REMOTE_ADDR'], ',' ) !== false ) {
+ throw new MWException( __METHOD__ . " : Could not determine the remote IP address due to multiple values." );
+ } else {
+ $ipchain = $_SERVER['REMOTE_ADDR'];
+ }
+
+ return IP::canonicalize( $ipchain );
}
/**