From c4ed43cf6bcb82318fc6252a847e89f5d6e507fe Mon Sep 17 00:00:00 2001
From: Tyler Anthony Romeo <tylerromeo@gmail.com>
Date: Wed, 22 Aug 2012 16:38:25 -0400
Subject: [PATCH] (bug 26585) Detect CSV/array values in
 $_SERVER['REMOTE_ADDR'].

Changed WebRequest::getRawIP to check for values of
$_SERVER['REMOTE_ADDR'] that are either an array
or a comma separated list of IP addresses, and throw
an exception.

Original patch by Ilmari Karonen. Adapted from original
patch to work with newer MediaWiki version.

Change-Id: I4b3c56adf46b336c5032db3f2a1e621c873f0d83
---
 includes/WebRequest.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 2cc6338b96..74184b1fc5 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1046,11 +1046,17 @@ HTML;
 	 * @return String
 	 */
 	protected function getRawIP() {
-		if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
-			return IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
-		} else {
+		if ( !isset( $_SERVER['REMOTE_ADDR'] ) ) {
 			return null;
 		}
+
+		if ( is_array( $_SERVER['REMOTE_ADDR'] ) || strpos( $_SERVER['REMOTE_ADDR'], ',' ) !== false ) {
+			throw new MWException( __METHOD__ . " : Could not determine the remote IP address due to multiple values." );
+		} else {
+			$ipchain = $_SERVER['REMOTE_ADDR'];
+		}
+
+		return IP::canonicalize( $ipchain );
 	}
 
 	/**
-- 
2.20.1