From 7b5328f1c7646aca01beed5f06155a65f1b60889 Mon Sep 17 00:00:00 2001
From: Neil Ferreira <git@neilf.net>
Date: Thu, 31 May 2012 16:52:46 +0800
Subject: [PATCH 1/2] getClientIp() will now only return valid IP addresses,
 rather than assuming the X_FORWARDED_FOR is the first comma seperated value.

---
 src/Symfony/Component/HttpFoundation/Request.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
index 9e35de81cd..581b4c999a 100644
--- a/src/Symfony/Component/HttpFoundation/Request.php
+++ b/src/Symfony/Component/HttpFoundation/Request.php
@@ -546,9 +546,16 @@ class Request
             if ($this->server->has('HTTP_CLIENT_IP')) {
                 return $this->server->get('HTTP_CLIENT_IP');
             } elseif ($this->server->has('HTTP_X_FORWARDED_FOR')) {
-                $clientIp = explode(',', $this->server->get('HTTP_X_FORWARDED_FOR'), 2);
+                $clientIp = explode(',', $this->server->get('HTTP_X_FORWARDED_FOR'));
 
-                return isset($clientIp[0]) ? trim($clientIp[0]) : '';
+                foreach ($clientIp as $ipAddress) {
+                    $cleanIpAddress = trim($ipAddress);
+
+                    if (false !== filter_var($cleanIpAddress, FILTER_VALIDATE_IP)) {
+                        return $cleanIpAddress;
+                    }
+                }
+                return '';
             }
         }
 

From 85db22130ef9c7cf39c7a3b86fc2149f20c2fde0 Mon Sep 17 00:00:00 2001
From: Neil Ferreira <git@neilf.net>
Date: Thu, 31 May 2012 19:32:31 +0800
Subject: [PATCH 2/2] Since getClientIp() no longer takes a parameter, removed
 that old test

Added a new test for HTTP_X_FORWARDED_FOR that starts with 'unknown, '
---
 src/Symfony/Component/HttpFoundation/Tests/RequestTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
index e6f5aff7e6..9d943ef0d4 100644
--- a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
@@ -552,7 +552,6 @@ class RequestTest extends \PHPUnit_Framework_TestCase
     {
         $request = new Request();
         $this->assertEquals('', $request->getClientIp());
-        $this->assertEquals('', $request->getClientIp(true));
 
         $server = array('REMOTE_ADDR' => $remoteAddr);
         if (null !== $httpClientIp) {
@@ -584,6 +583,7 @@ class RequestTest extends \PHPUnit_Framework_TestCase
             array('2620:0:1cfe:face:b00c::3', true, '::1', '2620:0:1cfe:face:b00c::3', null),
             array('2620:0:1cfe:face:b00c::3', true, '::1', null, '2620:0:1cfe:face:b00c::3, ::1'),
             array('88.88.88.88', true, '123.45.67.89', null, '88.88.88.88, 87.65.43.21, 127.0.0.1'),
+            array('88.88.88.88', true, '123.45.67.89', null, 'unknown, 88.88.88.88'),
         );
     }