From 7d3527a515471d94d35c3cbc26bc1c70ad25b4e9 Mon Sep 17 00:00:00 2001
From: NewEraCracker <neweracracker@gmail.com>
Date: Tue, 22 Mar 2016 15:33:21 +0000
Subject: [PATCH] Update $_SERVER checks for IP_ADDRESS

Inspired by https://github.com/jasonstockman/csrf-magic/commit/f32890d9de27ffe7c2bb223d900c025f7b80b44e
---
 csrf-magic.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/csrf-magic.php b/csrf-magic.php
index 0289e1a..65db19f 100644
--- a/csrf-magic.php
+++ b/csrf-magic.php
@@ -217,7 +217,8 @@ function csrf_get_tokens() {
     $secret = csrf_get_secret();
     if (!$has_cookies && $secret) {
         // :TODO: Harden this against proxy-spoofing attacks
-        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
+        $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+        $ip = ';ip:' . csrf_hash($IP_ADDRESS);
     } else {
         $ip = '';
     }
@@ -327,7 +328,8 @@ function csrf_check_token($token) {
             if ($GLOBALS['csrf']['user'] !== false) return false;
             if (!empty($_COOKIE)) return false;
             if (!$GLOBALS['csrf']['allow-ip']) return false;
-            return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
+            $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+            return $value === csrf_hash($IP_ADDRESS, $time);
     }
     return false;
 }