(bug 26585) Detect CSV/array values in $_SERVER['REMOTE_ADDR'].

Changed WebRequest::getRawIP to check for values of
$_SERVER['REMOTE_ADDR'] that are either an array
or a comma separated list of IP addresses, and throw
an exception.

Original patch by Ilmari Karonen. Adapted from original
patch to work with newer MediaWiki version.

Change-Id: I4b3c56adf46b336c5032db3f2a1e621c873f0d83

diff --git a/includes/WebRequest.php b/includes/WebRequest.php
index 2cc6338..74184b1 100644 (file)
--- a/includes/WebRequest.php
+++ b/includes/WebRequest.php
@@ -1046,11 +1046,17 @@ HTML;
         * @return String
         */
        protected function getRawIP() {
-               if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
-                       return IP::canonicalize( $_SERVER['REMOTE_ADDR'] );
-               } else {
+               if ( !isset( $_SERVER['REMOTE_ADDR'] ) ) {
                        return null;
                }
+
+               if ( is_array( $_SERVER['REMOTE_ADDR'] ) || strpos( $_SERVER['REMOTE_ADDR'], ',' ) !== false ) {
+                       throw new MWException( __METHOD__ . " : Could not determine the remote IP address due to multiple values." );
+               } else {
+                       $ipchain = $_SERVER['REMOTE_ADDR'];
+               }
+
+               return IP::canonicalize( $ipchain );
        }
 
        /**