Getting Header "REMOTE_ADDR" is user-controlled and should be properly validated before use errors into the core files.

[viralsampat]

Hello Team,

I have checked wp-admin WordPress core files and I have found this "Header "REMOTE_ADDR" is user-controlled and should be properly validated before use" error for few files. I think that it should be resolve.

Here, I have listed files:

src/wp-includes/class-wp-application-passwords.php
src/wp-includes/class-wp-session-tokens.php
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
src/wp-includes/user.php

I have tested this into the WordPress 6.8-beta1.

Thanks,

[viralsampat]

I have checked above mentioned issue and founds few files. Here, I have added its patch.

[audrasjb]

Hello, thanks for the ticket and patch,

Some thoughts:

• there is a wrong $remore_addr var name
• I think the inline comments are unnecessary
• I'm wondering whether we really need to validate these values since it appears they are never used directly. By the way, even if there is no security threat, it's better if we follow our own best practices. So I'm inclined to say "yes" :)

[viralsampat]

Hello @audrasjb

Thank you so much for your feedback.

I will update my patch and change the variable name with appropriate name.

Thanks,

[siliconforks]

I was under the impression that filter_input() and other filter_* functions are not allowed to be used in core WordPress (because they are not guaranteed to be available)?

​https://github.com/WordPress/wordpress-develop/blob/6d0f1857f092c5bc891cb3fdd1b356118bd00a67/src/wp-includes/functions.php#L7312

​https://www.php.net/manual/en/filter.installation.php

[viralsampat]

I have updated my patch and changed variable name as per requirement.