From d2f63a1803503a09b2d92d4aedd793636d470c7b Mon Sep 17 00:00:00 2001 From: rajatsharma94 Date: Thu, 23 Jul 2015 19:05:17 +0530 Subject: IP checking false positives and no ipv6 check The currently implemented method marks all IPs between 0.0.0.0 - 999.999.999.999 as valid IP Address. Which generates false positives as any IP after 255.255.255.255 is not a valid IP address. Also, there is no check for IPv6 IP addresses. filter_var() solves both the issues. --- system/helpers/path_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers') diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php index cf6be776f..dbe090058 100644 --- a/system/helpers/path_helper.php +++ b/system/helpers/path_helper.php @@ -61,7 +61,7 @@ if ( ! function_exists('set_realpath')) function set_realpath($path, $check_existance = FALSE) { // Security check to make sure the path is NOT a URL. No remote file inclusion! - if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp)#i', $path)) + if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp)#i', $path) || (!filter_var($ip, FILTER_VALIDATE_IP) === false)) { show_error('The path you submitted must be a local server path, not a URL'); } -- cgit v1.2.3-24-g4f1b