summaryrefslogtreecommitdiffstats
path: root/system/core/Input.php
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2012-10-08 18:04:12 +0200
committerFlorian Pritz <bluewind@xinu.at>2012-10-08 18:04:12 +0200
commit74dcbbf816deb0cb05e43f1843f6b84b51966470 (patch)
treeb4ceb0a46fb54366d8943325d9e91895e78a03c0 /system/core/Input.php
parentb12d7cb03ab1ef63baab4a8d4b1380e6990c1437 (diff)
parent05e8c03b6742033cf88885cb86217cadca3a4567 (diff)
Merge tag '2.1.3'
Conflicts: user_guide Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'system/core/Input.php')
-rwxr-xr-xsystem/core/Input.php71
1 files changed, 35 insertions, 36 deletions
diff --git a/system/core/Input.php b/system/core/Input.php
index 3559d8607..0c1f2b08e 100755
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -73,13 +73,13 @@ class CI_Input {
*/
protected $headers = array();
-
/**
* Constructor
*
* Sets whether to globally enable the XSS processing
* and whether to allow the $_GET array
*
+ * @return void
*/
public function __construct()
{
@@ -306,50 +306,49 @@ class CI_Input {
/**
* Fetch the IP Address
*
- * @access public
* @return string
*/
- function ip_address()
+ public function ip_address()
{
if ($this->ip_address !== FALSE)
{
return $this->ip_address;
}
- if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
+ $proxy_ips = config_item('proxy_ips');
+ if ( ! empty($proxy_ips))
{
- $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
- $proxies = is_array($proxies) ? $proxies : array($proxies);
+ $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips));
+ foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header)
+ {
+ if (($spoof = $this->server($header)) !== FALSE)
+ {
+ // Some proxies typically list the whole chain of IP
+ // addresses through which the client has reached us.
+ // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
+ if (strpos($spoof, ',') !== FALSE)
+ {
+ $spoof = explode(',', $spoof, 2);
+ $spoof = $spoof[0];
+ }
- $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
- }
- elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
- }
- elseif ($this->server('REMOTE_ADDR'))
- {
- $this->ip_address = $_SERVER['REMOTE_ADDR'];
- }
- elseif ($this->server('HTTP_CLIENT_IP'))
- {
- $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
- }
- elseif ($this->server('HTTP_X_FORWARDED_FOR'))
- {
- $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
- }
+ if ( ! $this->valid_ip($spoof))
+ {
+ $spoof = FALSE;
+ }
+ else
+ {
+ break;
+ }
+ }
+ }
- if ($this->ip_address === FALSE)
- {
- $this->ip_address = '0.0.0.0';
- return $this->ip_address;
+ $this->ip_address = ($spoof !== FALSE && in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE))
+ ? $spoof : $_SERVER['REMOTE_ADDR'];
}
-
- if (strpos($this->ip_address, ',') !== FALSE)
+ else
{
- $x = explode(',', $this->ip_address);
- $this->ip_address = trim(end($x));
+ $this->ip_address = $_SERVER['REMOTE_ADDR'];
}
if ( ! $this->valid_ip($this->ip_address))
@@ -642,8 +641,8 @@ class CI_Input {
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
- // CSRF Protection check
- if ($this->_enable_csrf == TRUE)
+ // CSRF Protection check on HTTP requests
+ if ($this->_enable_csrf == TRUE && ! $this->is_cli_request())
{
$this->security->csrf_verify();
}
@@ -837,11 +836,11 @@ class CI_Input {
*
* Test to see if a request was made from the command line
*
- * @return boolean
+ * @return bool
*/
public function is_cli_request()
{
- return (php_sapi_name() == 'cli') or defined('STDIN');
+ return (php_sapi_name() === 'cli' OR defined('STDIN'));
}
}