[wp-hackers] WordPress IPv6 bug
Omry Yadan
omry at yadan.net
Fri Sep 28 08:19:55 GMT 2007
I disagree.
Sanitizing should be done by the core, and should be done correctly.
this is tricky and order of the action matters a lot.
I think relying on plugins for it will only create confusion among
users, and possibly security holes.
Peter Westwood wrote:
> On Fri, September 28, 2007 8:03 am, Kimmo Suominen wrote:
>
>> Hi!
>>
>> I have a comment from 2007-03-03 with a good IP address logged:
>>
>> 2001:14b8:1ee:0:211:11ff:fe98:edf1
>>
>> But on another comment from 2007-09-13 I have this:
>>
>> 20011481021111981
>>
>> It appears to be the same address (my workstation), but with all
>> the colons and non-digit characters removed.
>>
>> It seems this has already been reported on trac:
>>
>> #4579: IPv6 IPs
>> #3987: IPv6 support
>>
>> The culprit appears to be in changeset 3990:
>>
>> http://trac.wordpress.org/changeset/3990
>>
>> I think the changes made to wp-includes/comment.php should just
>> be reversed. The data in $_SERVER['REMOTE_ADDR'] is filled in by
>> the web server using information from the socket structure, so it
>> seems to me there is little need to further "sanitize" it.
>>
>> I've attached a patch to ticket #4579 to revert the change.
>>
>> The change in wp-includes/functions.php is fine, since Spamhaus
>> does not support IPv6. It might be good to check for the case
>> that $ipnum has become empty after calling preg_replace().
>>
>>
>>
>
> I think the best solution here would be to move the checks to a
> sanitization function and allow plugins to override it.
>
> We could then add IPv6 support to the santization function (or to start
> with it could be provided by a plugin)
>
> westi
>
More information about the wp-hackers
mailing list