Add some very basic checks to the users ip - related to bug #48995

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10020 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/includes/session.php

@@ -268,6 +268,27 @@ class session
 		// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
 		// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
 		$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';
+		$this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip));
+
+		// split the list of IPs
+		$ips = explode(' ', $this->ip);
+
+		// Default IP if REMOTE_ADDR is invalid
+		$this->ip = '127.0.0.1';
+
+		foreach ($ips as $ip)
+		{
+			// check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
+			if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
+			{
+				// Just break
+				break;
+			}
+
+			// Use the last in chain
+			$this->ip = $ip;
+		}
+
 		$this->load = false;
 
 		// Load limit check (if applicable)