WordPress.org

Make WordPress Core


Ignore:
Timestamp:
04/10/2018 11:18:04 PM (19 months ago)
Author:
iandunn
Message:

Dashboard: Strip more extraneous IP parts to prevent PHP warnings.

This iterates on earlier versions of the code, in order to handle more edge cases. An arbitrary string like or=\" will now be stripped, as well as reachability scopes like %eth0.

Props eamax, soulseekah, iandunn.
Fixes #41083.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-community-events.php

    r42826 r42968  
    234234     */
    235235    public static function get_unsafe_client_ip() {
    236         $client_ip = $netmask = false;
     236        $client_ip = false;
    237237        $ip_prefix = '';
    238238
     
    280280        if ( $is_ipv6 ) {
    281281            // IPv6 addresses will always be enclosed in [] if there's a port.
    282             $ip_start = 1;
    283             $ip_end   = (int) strpos( $client_ip, ']' ) - 1;
    284             $netmask  = 'ffff:ffff:ffff:ffff:0000:0000:0000:0000';
     282            $left_bracket  = strpos( $client_ip, '[' );
     283            $right_bracket = strpos( $client_ip, ']' );
     284            $percent       = strpos( $client_ip, '%' );
     285            $netmask       = 'ffff:ffff:ffff:ffff:0000:0000:0000:0000';
    285286
    286287            // Strip the port (and [] from IPv6 addresses), if they exist.
    287             if ( $ip_end > 0 ) {
    288                 $client_ip = substr( $client_ip, $ip_start, $ip_end );
     288            if ( false !== $left_bracket && false !== $right_bracket ) {
     289                $client_ip = substr( $client_ip, $left_bracket + 1, $right_bracket - $left_bracket - 1 );
     290            } elseif ( false !== $left_bracket || false !== $right_bracket ) {
     291                // The IP has one bracket, but not both, so it's malformed.
     292                return false;
     293            }
     294
     295            // Strip the reachability scope.
     296            if ( false !== $percent ) {
     297                $client_ip = substr( $client_ip, 0, $percent );
     298            }
     299
     300            // No invalid characters should be left.
     301            if ( preg_match( '/[^0-9a-f:]/i', $client_ip ) ) {
     302                return false;
    289303            }
    290304
Note: See TracChangeset for help on using the changeset viewer.