WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#11393 closed defect (bug) (fixed)

class-ftp.php doesn't check correctly for IP validity under PHP5

Reported by: miqrogroove Owned by:
Milestone: 2.9 Priority: normal
Severity: minor Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

http://core.trac.wordpress.org/browser/trunk/wp-admin/includes/class-ftp.php#L281

if(ip2long($ip) === -1) {

ip2long() never returns int(-1) in PHP5, except on 32-bit servers.

Attachments (1)

11393.diff (527 bytes) - added by nacin 5 years ago.
Checks for false in addition to -1.

Download all attachments as: .zip

Change History (7)

@nacin5 years ago

Checks for false in addition to -1.

comment:1 @nacin5 years ago

  • Keywords has-patch added

Attached is a simple fix is to allow for both. Pretty sure that's exactly what the PHP docs suggest.

comment:2 @miqrogroove5 years ago

Just for reference, Akismet is using

if ( $ip && long2ip(ip2long($ip)) ) {

Checking FALSE is much easier to read, so nacin's patch has my vote.

comment:3 @nacin5 years ago

Yea, I was going to reference Akismet's use of long2ip & ip2long together. I'm pretty sure that's to correct to whether an IP is valid, not to check whether it is valid, if that makes sense, though I suppose both would work here.

Both examples appear in the PHP docs: http://php.net/ip2long.

comment:4 @westi5 years ago

  • Summary changed from class-ftp.php Using a PHP4 Return Value to class-ftp.php doesn't check correctly for IP validity under PHP5

comment:5 @westi5 years ago

The check in akismet won't actually work anyway.

For Example "Howdy" && long2ip(ip2long("Howdy")) will evaluate to true as the string evaluates to true and the false returned by ip2long will cast to an int(0) fine which becomes an ip address of "0.0.0.0" which as a string with evaluate to true.

comment:6 @westi5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12387]) Fix the IP Address validation code in the FTP class. Fixes #11393 props nacin.

Note: See TracTickets for help on using tickets.