From 7d3527a515471d94d35c3cbc26bc1c70ad25b4e9 Mon Sep 17 00:00:00 2001 From: NewEraCracker <neweracracker@gmail.com> Date: Tue, 22 Mar 2016 15:33:21 +0000 Subject: [PATCH] Update $_SERVER checks for IP_ADDRESS Inspired by https://github.com/jasonstockman/csrf-magic/commit/f32890d9de27ffe7c2bb223d900c025f7b80b44e --- csrf-magic.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/csrf-magic.php b/csrf-magic.php index 0289e1a..65db19f 100644 --- a/csrf-magic.php +++ b/csrf-magic.php @@ -217,7 +217,8 @@ function csrf_get_tokens() { $secret = csrf_get_secret(); if (!$has_cookies && $secret) { // :TODO: Harden this against proxy-spoofing attacks - $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); + $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); + $ip = ';ip:' . csrf_hash($IP_ADDRESS); } else { $ip = ''; } @@ -327,7 +328,8 @@ function csrf_check_token($token) { if ($GLOBALS['csrf']['user'] !== false) return false; if (!empty($_COOKIE)) return false; if (!$GLOBALS['csrf']['allow-ip']) return false; - return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time); + $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); + return $value === csrf_hash($IP_ADDRESS, $time); } return false; }