From d8a76b14428d9a5cc955dd0341f032e43f53c7d9 Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Thu, 20 Aug 2009 08:43:10 +0000
Subject: [PATCH] Add some very basic checks to the users ip - related to bug
 #48995

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10020 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/includes/session.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index 8d41616123..112cf4e2fd 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -268,6 +268,27 @@ class session
 		// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
 		// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
 		$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';
+		$this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip));
+
+		// split the list of IPs
+		$ips = explode(' ', $this->ip);
+
+		// Default IP if REMOTE_ADDR is invalid
+		$this->ip = '127.0.0.1';
+
+		foreach ($ips as $ip)
+		{
+			// check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
+			if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
+			{
+				// Just break
+				break;
+			}
+
+			// Use the last in chain
+			$this->ip = $ip;
+		}
+
 		$this->load = false;
 
 		// Load limit check (if applicable)