From: Tyler Anthony Romeo <tylerromeo@gmail.com>
Date: Wed, 22 Aug 2012 20:38:25 +0000 (-0400)
Subject: (bug 26585) Detect CSV/array values in $_SERVER['REMOTE_ADDR'].
X-Git-Tag: 1.31.0-rc.0~21892^2
X-Git-Url: http://git.cyclocoop.org//%22%22._DIR_PLUGIN_FULLCALENDAR.%22prive/themes/spip/images/event_edit.png/%22?a=commitdiff_plain;h=c4ed43cf6bcb82318fc6252a847e89f5d6e507fe;p=lhc%2Fweb%2Fwiklou.git

(bug 26585) Detect CSV/array values in $_SERVER['REMOTE_ADDR'].

Changed WebRequest::getRawIP to check for values of
$_SERVER['REMOTE_ADDR'] that are either an array
or a comma separated list of IP addresses, and throw
an exception.

Original patch by Ilmari Karonen. Adapted from original
patch to work with newer MediaWiki version.

Change-Id: I4b3c56adf46b336c5032db3f2a1e621c873f0d83
---

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 2cc6338b96..74184b1fc5 100644
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1046,11 +1046,17 @@ HTML;
 	 * @return String
 	 */
 	protected function getRawIP() {
-		if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
-			return IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
-		} else {
+		if ( !isset( $_SERVER['REMOTE_ADDR'] ) ) {
 			return null;
 		}
+
+		if ( is_array( $_SERVER['REMOTE_ADDR'] ) || strpos( $_SERVER['REMOTE_ADDR'], ',' ) !== false ) {
+			throw new MWException( __METHOD__ . " : Could not determine the remote IP address due to multiple values." );
+		} else {
+			$ipchain = $_SERVER['REMOTE_ADDR'];
+		}
+
+		return IP::canonicalize( $ipchain );
 	}
 
 	/**