From 298254103e66a005b9b74562dc2ee2c0399af6b7 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <ralph@technojoy.co.nz>
Date: Tue, 24 Feb 2015 15:39:59 +1300
Subject: [PATCH] Improved getIP() detection

Ignore invalid HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers, as well as reserved internal IP addresses (eg: internal networks with squid proxy).
---
 control/HTTPRequest.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/control/HTTPRequest.php b/control/HTTPRequest.php
index 62229e2f4..4e8b3b496 100644
--- a/control/HTTPRequest.php
+++ b/control/HTTPRequest.php
@@ -655,15 +655,20 @@ class SS_HTTPRequest implements ArrayAccess {
 	 * @return string
 	 */
 	public function getIP() {
+		$ip = false;
 		if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
 			//check ip from share internet
-			return $_SERVER['HTTP_CLIENT_IP'];
+			$ip = $_SERVER['HTTP_CLIENT_IP'];
 		} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 			//to check ip is pass from proxy
-			return  $_SERVER['HTTP_X_FORWARDED_FOR'];
-		} elseif(isset($_SERVER['REMOTE_ADDR'])) {
-			return $_SERVER['REMOTE_ADDR'];
+			$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
 		}
+		if ((!$ip || !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))
+			&& !empty($_SERVER['REMOTE_ADDR'])) {
+			//if no other forwarding ip is found, invalid, or internal ip address
+			$ip = $_SERVER['REMOTE_ADDR'];
+		}
+		return $ip;
 	}
 
 	/**