[wp-hackers] WordPress IPv6 bug
kimmo at global-wire.fi
Fri Sep 28 08:25:22 GMT 2007
On Fri, Sep 28, 2007 at 09:11:56AM +0100, Peter Westwood wrote:
> On Fri, September 28, 2007 8:03 am, Kimmo Suominen wrote:
> > Hi!
> > I have a comment from 2007-03-03 with a good IP address logged:
> > 2001:14b8:1ee:0:211:11ff:fe98:edf1
> > But on another comment from 2007-09-13 I have this:
> > 20011481021111981
> > It appears to be the same address (my workstation), but with all
> > the colons and non-digit characters removed.
> > It seems this has already been reported on trac:
> > #4579: IPv6 IPs
> > #3987: IPv6 support
> > The culprit appears to be in changeset 3990:
> > http://trac.wordpress.org/changeset/3990
> > I think the changes made to wp-includes/comment.php should just
> > be reversed. The data in $_SERVER['REMOTE_ADDR'] is filled in by
> > the web server using information from the socket structure, so it
> > seems to me there is little need to further "sanitize" it.
> > I've attached a patch to ticket #4579 to revert the change.
> > The change in wp-includes/functions.php is fine, since Spamhaus
> > does not support IPv6. It might be good to check for the case
> > that $ipnum has become empty after calling preg_replace().
> I think the best solution here would be to move the checks to a
> sanitization function and allow plugins to override it.
> We could then add IPv6 support to the santization function (or to start
> with it could be provided by a plugin)
There is a suggested function in ticket #3262, although it doesn't
have a hook.
Another possible problem with it seems to be possible regression
with regard to ticket #1738, since the suggested function in #3262
removes space and comma from the allowed characters. Apparently
REMOTE_ADDR can be a list of addresses.
I wonder what the semantics with the list of addresses is. How can
the remote (or local, for that matter) end of a TCP or other socket
connection be more than one (IP) address?
I understand how HTTP_X_FORWARDED_FOR can be a comma separated list,
but not REMOTE_ADDR. However, it doesn't look like WordPress uses
HTTP_X_FORWARDED_FOR at all (at least 2.3).
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
More information about the wp-hackers