dmitryd
commented
6 months ago filter_var() with FILTER_VALIDATE_IP should be better.
Open martijnf1 opened 7 months ago
dmitryd
commented
6 months ago filter_var() with FILTER_VALIDATE_IP should be better.
preg_replace('~[^0-9\.]~', '', $ipAddress)only makes sure that$ipAddresskind of looks like a valid ipv4 address, but sequences of any number and periods are still allowed. "10.0.0.0.0.0.0.0.0.0.0.0.1" would not be sanitised, as would ".................................". This does not immediately pose any obvious security issues, but it sanitises valid ipv6 addresses to invalid ones.https://github.com/einpraegsam/ipandlanguageredirect/blame/5fa7ac860ff18ec05cf6bd3e9b8ba3e5491bca5c/Classes/Domain/Service/IpToCountry/LocalDatabase.php#L53