#127 Security vulnerability, not documented
\"Get real client ip address\" should be renamed to \"Get spoofed client ip address\". The function name should be renamed to \"phpwhois_getclientip_unsafe\" with a documented explanation of the security vulnerability.
HTTP_X_FORWARDED and such are read from HTTP headers such as X-Forwarded-For which are trivial to add to a request.
//-----------------------------------------------------------------
// Get real client ip address
function phpwhois_getclientip()
{
if (!empty($_SERVER[\'HTTP_CLIENT_IP\']) && phpwhois_validip($_SERVER[\'HTTP_CLIENT_IP\']))
return $_SERVER[\'HTTP_CLIENT_IP\'];
if (!empty($_SERVER[\'HTTP_X_FORWARDED_FOR\']))
foreach (explode(\',\',$_SERVER[\'HTTP_X_FORWARDED_FOR\']) as $ip)
if (phpwhois_validip(trim($ip)))
return $ip;
if (!empty($_SERVER[\'HTTP_X_FORWARDED\']) && phpwhois_validip($_SERVER[\'HTTP_X_FORWARDED\']))
return $_SERVER[\'HTTP_X_FORWARDED\'];
if (!empty($_SERVER[\'HTTP_FORWARDED_FOR\']) && phpwhois_validip($_SERVER[\'HTTP_FORWARDED_FOR\']))
return $_SERVER[\'HTTP_FORWARDED_FOR\'];
if (!empty($_SERVER[\'HTTP_FORWARDED\']) && phpwhois_validip($_SERVER[\'HTTP_FORWARDED\']))
return $_SERVER[\'HTTP_FORWARDED\'];
if (!empty($_SERVER[\'HTTP_X_FORWARDED\']) && phpwhois_validip($_SERVER[\'HTTP_X_FORWARDED\']))
return $_SERVER[\'HTTP_X_FORWARDED\'];
return $_SERVER[\'REMOTE_ADDR\'];
}
