diff --git src/wp-includes/class-wp-application-passwords.php src/wp-includes/class-wp-application-passwords.php index 8ed02dd6f3..af4103529c 100644 --- src/wp-includes/class-wp-application-passwords.php +++ src/wp-includes/class-wp-application-passwords.php @@ -347,7 +347,11 @@ class WP_Application_Passwords { } $password['last_used'] = time(); - $password['last_ip'] = $_SERVER['REMOTE_ADDR']; + + // Get remote IP address. + $remote_addr = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP ); + + $password['last_ip'] = isset( $remote_addr ) ? $remote_addr : null; $saved = static::set_user_application_passwords( $user_id, $passwords ); diff --git src/wp-includes/class-wp-session-tokens.php src/wp-includes/class-wp-session-tokens.php index 9482e1b948..b5eb90ed49 100644 --- src/wp-includes/class-wp-session-tokens.php +++ src/wp-includes/class-wp-session-tokens.php @@ -129,9 +129,12 @@ abstract class WP_Session_Tokens { $session = apply_filters( 'attach_session_information', array(), $this->user_id ); $session['expiration'] = $expiration; + // Get the IP address and user-agent. + $remore_addr = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP); + // IP address. - if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) { - $session['ip'] = $_SERVER['REMOTE_ADDR']; + if ( ! empty( $remore_addr ) ) { + $session['ip'] = $remore_addr; } // User-agent. diff --git src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index a0b68759f9..592a4f21ad 100644 --- src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -495,7 +495,11 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { } if ( isset( $request['author_ip'] ) && ! current_user_can( 'moderate_comments' ) ) { - if ( empty( $_SERVER['REMOTE_ADDR'] ) || $request['author_ip'] !== $_SERVER['REMOTE_ADDR'] ) { + + // Get remote IP address. + $remote_addr = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP ); + + if ( empty( $remote_addr ) || $request['author_ip'] !== $remote_addr ) { return new WP_Error( 'rest_comment_invalid_author_ip', /* translators: %s: Request parameter. */ @@ -1300,6 +1304,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { protected function prepare_item_for_database( $request ) { $prepared_comment = array(); + // Get remote IP address. + $remote_addr = filter_input( INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP ); + /* * Allow the comment_content to be set via the 'content' or * the 'content.raw' properties of the Request object. @@ -1349,8 +1356,8 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { if ( isset( $request['author_ip'] ) && current_user_can( 'moderate_comments' ) ) { $prepared_comment['comment_author_IP'] = $request['author_ip']; - } elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) && rest_is_ip_address( $_SERVER['REMOTE_ADDR'] ) ) { - $prepared_comment['comment_author_IP'] = $_SERVER['REMOTE_ADDR']; + } elseif ( ! empty( $remote_addr ) && rest_is_ip_address( $remote_addr ) ) { + $prepared_comment['comment_author_IP'] = $remote_addr; } else { $prepared_comment['comment_author_IP'] = '127.0.0.1'; } diff --git src/wp-includes/user.php src/wp-includes/user.php index 8d4aab98c1..77c1344094 100644 --- src/wp-includes/user.php +++ src/wp-includes/user.php @@ -3303,7 +3303,10 @@ function retrieve_password( $user_login = '' ) { $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; if ( ! is_user_logged_in() ) { - $requester_ip = $_SERVER['REMOTE_ADDR']; + // Get remote address. + $remote_addr = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP); + + $requester_ip = isset( $remote_addr ) ? $remote_addr : ''; if ( $requester_ip ) { $message .= sprintf( /* translators: %s: IP address of password reset requester. */