From 7b5328f1c7646aca01beed5f06155a65f1b60889 Mon Sep 17 00:00:00 2001
From: Neil Ferreira <git@neilf.net>
Date: Thu, 31 May 2012 16:52:46 +0800
Subject: [PATCH] getClientIp() will now only return valid IP addresses, rather
 than assuming the X_FORWARDED_FOR is the first comma seperated value.

---
 src/Symfony/Component/HttpFoundation/Request.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
index 9e35de81cd..581b4c999a 100644
--- a/src/Symfony/Component/HttpFoundation/Request.php
+++ b/src/Symfony/Component/HttpFoundation/Request.php
@@ -546,9 +546,16 @@ class Request
             if ($this->server->has('HTTP_CLIENT_IP')) {
                 return $this->server->get('HTTP_CLIENT_IP');
             } elseif ($this->server->has('HTTP_X_FORWARDED_FOR')) {
-                $clientIp = explode(',', $this->server->get('HTTP_X_FORWARDED_FOR'), 2);
+                $clientIp = explode(',', $this->server->get('HTTP_X_FORWARDED_FOR'));
 
-                return isset($clientIp[0]) ? trim($clientIp[0]) : '';
+                foreach ($clientIp as $ipAddress) {
+                    $cleanIpAddress = trim($ipAddress);
+
+                    if (false !== filter_var($cleanIpAddress, FILTER_VALIDATE_IP)) {
+                        return $cleanIpAddress;
+                    }
+                }
+                return '';
             }
         }