From 4ff284433a56bc03d9dc0fa34f0b76cf58950b28 Mon Sep 17 00:00:00 2001
From: chris <chris@jalakai.co.uk>
Date: Fri, 8 Sep 2006 14:27:44 +0200
Subject: [PATCH] clientIP() update, data cleaning improvements

as per recent security warning, clientIP() could
return other arbitrary data along with an IP
address. This fix ensures only IP addresses can
be returned by this function.

darcs-hash:20060908122744-9b6ab-8c90ca361b038a47b65f3f3dbf7228ae569f8c08.gz
---
 inc/common.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/inc/common.php b/inc/common.php
index a0e1e882b..6fa0cff3c 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -495,9 +495,14 @@ function clientIP($single=false){
 
   // remove any non-IP stuff
   $cnt = count($ip);
+  $match = array();
   for($i=0; $i<$cnt; $i++){
     $ip[$i] = preg_replace('/[^0-9\.]+/','',$ip[$i]);
-    if(!preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/',$ip[$i])) $ip[$i] = '';
+    if(preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/',$ip[$i],$match)) {
+      $ip[$i] = $match[0];
+    } else {
+      $ip[$i] = '';
+    }
     if(empty($ip[$i])) unset($ip[$i]);
   }
   $ip = array_values(array_unique($ip));
-- 
GitLab