Ticket #63188: 63188.patch

src/wp-includes/class-wp-application-passwords.php

@@ -347 +347 @@
                         }
 
                         $password['last_used'] = time();
-                        $password['last_ip']   = $_SERVER['REMOTE_ADDR'];
+
+                        // Get remote IP address.
+                        $remote_addr = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP );
+
+                        $password['last_ip']   = isset( $remote_addr ) ? $remote_addr : null;
 
                         $saved = static::set_user_application_passwords( $user_id, $passwords );
 

src/wp-includes/class-wp-session-tokens.php

@@ -129 +129 @@
                 $session               = apply_filters( 'attach_session_information', array(), $this->user_id );
                 $session['expiration'] = $expiration;
 
+                // Get the IP address and user-agent.
+                $remore_addr = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP);
+
                 // IP address.
-                if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
-                        $session['ip'] = $_SERVER['REMOTE_ADDR'];
+                if ( ! empty( $remore_addr ) ) {
+                        $session['ip'] = $remore_addr;
                 }
 
                 // User-agent.

src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

@@ -495 +495 @@
                 }
 
                 if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) {
-                        if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) {
+                        
+                        // Get remote IP address.
+                        $remote_addr = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP );
+
+                        if ( empty( $remote_addr ) || $request['author_ip'] !== $remote_addr ) {
                                 return new WP_Error(
                                         'rest_comment_invalid_author_ip',
                                         /* translators: %s: Request parameter. */
@@ -1300 +1304 @@
         protected function prepare_item_for_database( $request ) {
                 $prepared_comment = array();
 
+                // Get remote IP address.
+                $remote_addr = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP );
+
                 /*
                  * Allow the comment_content to be set via the 'content' or
                  * the 'content.raw' properties of the Request object.
@@ -1349 +1356 @@
 
                 if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) {
                         $prepared_comment['comment_author_IP'] = $request['author_ip'];
-                } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) {
-                        $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR'];
+                } elseif ( ! empty( $remote_addr ) && rest_is_ip_address( $remote_addr ) ) {
+                        $prepared_comment['comment_author_IP'] = $remote_addr;
                 } else {
                         $prepared_comment['comment_author_IP'] = '127.0.0.1';
                 }

src/wp-includes/user.php

@@ -3303 +3303 @@
         $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
 
         if ( ! is_user_logged_in() ) {
-                $requester_ip = $_SERVER['REMOTE_ADDR'];
+                // Get remote address.
+                $remote_addr = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP);
+                
+                $requester_ip = isset( $remote_addr ) ? $remote_addr : '';
                 if ( $requester_ip ) {
                         $message .= sprintf(
                                 /* translators: %s: IP address of password reset requester. */