Skip to content

Commit

Permalink
Update $_SERVER checks for IP_ADDRESS
Browse files Browse the repository at this point in the history 
Inspired by jasonstockman@f32890d
  • Loading branch information
@NewEraCracker
NewEraCracker committed Mar 22, 2016
1 parent 395e9e7 commit 7d3527a
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions csrf-magic.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,8 @@ function csrf_get_tokens() {
$secret = csrf_get_secret();
if (!$has_cookies && $secret) {
// :TODO: Harden this against proxy-spoofing attacks
$ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
$IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
$ip = ';ip:' . csrf_hash($IP_ADDRESS);
} else {
$ip = '';
}
Expand Down Expand Up @@ -327,7 +328,8 @@ function csrf_check_token($token) {
if ($GLOBALS['csrf']['user'] !== false) return false;
if (!empty($_COOKIE)) return false;
if (!$GLOBALS['csrf']['allow-ip']) return false;
return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
$IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
return $value === csrf_hash($IP_ADDRESS, $time);
}
return false;
}
Expand Down

0 comments on commit 7d3527a

Please sign in to comment.