diff options
| author | chris <chris@jalakai.co.uk> | 2006-09-08 14:27:44 +0200 |
|---|---|---|
| committer | chris <chris@jalakai.co.uk> | 2006-09-08 14:27:44 +0200 |
| commit | 4ff284433a56bc03d9dc0fa34f0b76cf58950b28 (patch) | |
| tree | 140e2afd18388464c9a674aa3cc24e521597f9b0 | |
| parent | 8403b751d437cf0ff33be20f97e2cabc0c56bfb4 (diff) | |
| download | rpg-4ff284433a56bc03d9dc0fa34f0b76cf58950b28.tar.gz rpg-4ff284433a56bc03d9dc0fa34f0b76cf58950b28.tar.bz2 | |
clientIP() update, data cleaning improvements
as per recent security warning, clientIP() could
return other arbitrary data along with an IP
address. This fix ensures only IP addresses can
be returned by this function.
darcs-hash:20060908122744-9b6ab-8c90ca361b038a47b65f3f3dbf7228ae569f8c08.gz
| -rw-r--r-- | inc/common.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/inc/common.php b/inc/common.php index a0e1e882b..6fa0cff3c 100644 --- a/inc/common.php +++ b/inc/common.php @@ -495,9 +495,14 @@ function clientIP($single=false){ // remove any non-IP stuff $cnt = count($ip); + $match = array(); for($i=0; $i<$cnt; $i++){ $ip[$i] = preg_replace('/[^0-9\.]+/','',$ip[$i]); - if(!preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/',$ip[$i])) $ip[$i] = ''; + if(preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/',$ip[$i],$match)) { + $ip[$i] = $match[0]; + } else { + $ip[$i] = ''; + } if(empty($ip[$i])) unset($ip[$i]); } $ip = array_values(array_unique($ip)); |