From 08db8cebec8057601c767b78cb22c6b55b009c4d Mon Sep 17 00:00:00 2001 From: Claudio Sanches Date: Fri, 5 May 2017 16:58:08 -0300 Subject: [PATCH] Check if IP address is valid --- includes/class-wc-geolocation.php | 37 ++++- includes/vendor/class-requests-ipv6.php | 184 ++++++++++++++++++++++++ 2 files changed, 218 insertions(+), 3 deletions(-) create mode 100644 includes/vendor/class-requests-ipv6.php diff --git a/includes/class-wc-geolocation.php b/includes/class-wc-geolocation.php index 062799815ff..0add5f85594 100644 --- a/includes/class-wc-geolocation.php +++ b/includes/class-wc-geolocation.php @@ -66,6 +66,33 @@ class WC_Geolocation { return $new_value; } + /** + * Check if is a valid IP address. + * + * @since 3.0.6 + * @param string $ip_address IP address. + * @return string|bool The valid IP address, otherwise false. + */ + private function is_ip_address( $ip_address ) { + // WP 4.7+ only. + if ( function_exists( 'rest_is_ip_address' ) ) { + return rest_is_ip_address( $ip_address ); + } + + // Support for WordPress 4.4 to 4.6. + if ( ! class_exists( 'Requests_IPv6', false ) ) { + include_once( dirname( __FILE__ ) . '/vendor/class-requests-ipv6.php' ); + } + + $ipv4_pattern = '/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/'; + + if ( ! preg_match( $ipv4_pattern, $ip ) && ! Requests_IPv6::check_ipv6( $ip ) ) { + return false; + } + + return $ip; + } + /** * Get current user IP Address. * @return string @@ -76,7 +103,7 @@ class WC_Geolocation { } elseif ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { // Proxy servers can send through this header like this: X-Forwarded-For: client1, proxy1, proxy2 // Make sure we always only send through the first IP in the list which should always be the client IP. - return trim( current( explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) ); + return (string) self::is_ip_address( trim( current( explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) ) ); } elseif ( isset( $_SERVER['REMOTE_ADDR'] ) ) { return $_SERVER['REMOTE_ADDR']; } @@ -90,8 +117,12 @@ class WC_Geolocation { * @return string */ public static function get_external_ip_address() { - $transient_name = 'external_ip_address_' . self::get_ip_address(); - $external_ip_address = get_transient( $transient_name ); + $external_ip_address = '0.0.0.0'; + + if ( '' !== self::get_ip_address() ) { + $transient_name = 'external_ip_address_' . self::get_ip_address(); + $external_ip_address = get_transient( $transient_name ); + } if ( false === $external_ip_address ) { $external_ip_address = '0.0.0.0'; diff --git a/includes/vendor/class-requests-ipv6.php b/includes/vendor/class-requests-ipv6.php new file mode 100644 index 00000000000..a685ca6035a --- /dev/null +++ b/includes/vendor/class-requests-ipv6.php @@ -0,0 +1,184 @@ + FF01:0:0:0:0:0:0:101 + * ::1 -> 0:0:0:0:0:0:0:1 + * + * @author Alexander Merz + * @author elfrink at introweb dot nl + * @author Josh Peck + * @copyright 2003-2005 The PHP Group + * @license http://www.opensource.org/licenses/bsd-license.php + * @param string $ip An IPv6 address + * @return string The uncompressed IPv6 address + */ + public static function uncompress( $ip ) { + if ( substr_count( $ip, '::' ) !== 1 ) { + return $ip; + } + + list($ip1, $ip2) = explode( '::', $ip ); + $c1 = ( '' == $ip1 ) ? -1 : substr_count( $ip1, ':' ); + $c2 = ( '' == $ip2 ) ? -1 : substr_count( $ip2, ':' ); + + if ( strpos( $ip2, '.' ) !== false ) { + $c2++; + } + // :: + if ( -1 === $c1 && -1 === $c2 ) { + $ip = '0:0:0:0:0:0:0:0'; + } // ::xxx + elseif ( -1 === $c1 ) { + $fill = str_repeat( '0:', 7 - $c2 ); + $ip = str_replace( '::', $fill, $ip ); + } // xxx:: + elseif ( -1 === $c2 ) { + $fill = str_repeat( ':0', 7 - $c1 ); + $ip = str_replace( '::', $fill, $ip ); + } // xxx::xxx + else { + $fill = ':' . str_repeat( '0:', 6 - $c2 - $c1 ); + $ip = str_replace( '::', $fill, $ip ); + } + return $ip; + } + + /** + * Compresses an IPv6 address + * + * RFC 4291 allows you to compress consecutive zero pieces in an address to + * '::'. This method expects a valid IPv6 address and compresses consecutive + * zero pieces to '::'. + * + * Example: FF01:0:0:0:0:0:0:101 -> FF01::101 + * 0:0:0:0:0:0:0:1 -> ::1 + * + * @see uncompress() + * @param string $ip An IPv6 address + * @return string The compressed IPv6 address + */ + public static function compress( $ip ) { + // Prepare the IP to be compressed + $ip = self::uncompress( $ip ); + $ip_parts = self::split_v6_v4( $ip ); + + // Replace all leading zeros + $ip_parts[0] = preg_replace( '/(^|:)0+([0-9])/', '\1\2', $ip_parts[0] ); + + // Find bunches of zeros + if ( preg_match_all( '/(?:^|:)(?:0(?::|$))+/', $ip_parts[0], $matches, PREG_OFFSET_CAPTURE ) ) { + $max = 0; + $pos = null; + foreach ( $matches[0] as $match ) { + if ( strlen( $match[0] ) > $max ) { + $max = strlen( $match[0] ); + $pos = $match[1]; + } + } + + $ip_parts[0] = substr_replace( $ip_parts[0], '::', $pos, $max ); + } + + if ( '' !== $ip_parts[1] ) { + return implode( ':', $ip_parts ); + } else { + return $ip_parts[0]; + } + } + + /** + * Splits an IPv6 address into the IPv6 and IPv4 representation parts + * + * RFC 4291 allows you to represent the last two parts of an IPv6 address + * using the standard IPv4 representation + * + * Example: 0:0:0:0:0:0:13.1.68.3 + * 0:0:0:0:0:FFFF:129.144.52.38 + * + * @param string $ip An IPv6 address + * @return string[] [0] contains the IPv6 represented part, and [1] the IPv4 represented part + */ + protected static function split_v6_v4( $ip ) { + if ( strpos( $ip, '.' ) !== false ) { + $pos = strrpos( $ip, ':' ); + $ipv6_part = substr( $ip, 0, $pos ); + $ipv4_part = substr( $ip, $pos + 1 ); + return array( $ipv6_part, $ipv4_part ); + } else { + return array( $ip, '' ); + } + } + + /** + * Checks an IPv6 address + * + * Checks if the given IP is a valid IPv6 address + * + * @param string $ip An IPv6 address + * @return bool true if $ip is a valid IPv6 address + */ + public static function check_ipv6( $ip ) { + $ip = self::uncompress( $ip ); + list($ipv6, $ipv4) = self::split_v6_v4( $ip ); + $ipv6 = explode( ':', $ipv6 ); + $ipv4 = explode( '.', $ipv4 ); + if ( count( $ipv6 ) === 8 && count( $ipv4 ) === 1 || count( $ipv6 ) === 6 && count( $ipv4 ) === 4 ) { + foreach ( $ipv6 as $ipv6_part ) { + // The section can't be empty + if ( '' === $ipv6_part ) { + return false; + } + + // Nor can it be over four characters + if ( strlen( $ipv6_part ) > 4 ) { + return false; + } + + // Remove leading zeros (this is safe because of the above) + $ipv6_part = ltrim( $ipv6_part, '0' ); + if ( '' === $ipv6_part ) { + $ipv6_part = '0'; + } + + // Check the value is valid + $value = hexdec( $ipv6_part ); + if ( dechex( $value ) !== strtolower( $ipv6_part ) || $value < 0 || $value > 0xFFFF ) { + return false; + } + } + if ( count( $ipv4 ) === 4 ) { + foreach ( $ipv4 as $ipv4_part ) { + $value = (int) $ipv4_part; + if ( (string) $value !== $ipv4_part || $value < 0 || $value > 0xFF ) { + return false; + } + } + } + return true; + } else { + return false; + } + } +}