You have a defect in core/LimitLoginAttempts.php

  • Resolved beargfr

    (@beargfr)


    1 year, 10 months ago

    As stated, you have a defect in core/LimitLoginAttempts.php, specifically in your is_ip_valid function. It fails to recognize an ip address that also contains a port designation, for example nnn.nnn.nnn.nnn:pppp as being valid. Furthermore, your code in function get_address should detect that a port designation is present on an ip address and should probably strip that portion of the address of before returning the result.

    I corrected your code locally by changing the is_ip_valid function to be:

    public function is_ip_valid( $ip ) {

   if( empty( $ip ) ) return false;

   $local_ip = parse_url( "https://" . $ip . "/index.php", PHP_URL_HOST);

   if ( filter_var($local_ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) ) {
       return true;
       }

   if ( filter_var($local_ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ) {
       return true;
       }
   return false;

   }
    • This topic was modified 1 year, 10 months ago by beargfr.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author WPChef

    (@wpchefgadget)

    Hi beargfr, thank you for your feedback.
    It is not necessary to divide the filter_var($ip, FILTER_VALIDATE_IP) into two separate checks b/c FILTER_VALIDATE_IP with no flags will validate both v4 and v6.
    Regarding the port: in which header did you receive an IP address and a port at the same time?

    Thread Starter beargfr

    (@beargfr)

    Yes, it is. Necessary that is. I have wordpress instances that are running behind a proxy and are also running inside containers on various servers inside my local network. So unless I include HTTP_X_FORWARDED_FOR in the settings for Trusted IP Origins all logins appear to originate from the IP address of the proxy instead of the true origination point. These IP addresses will always have a port number on them because that’s how the front end proxy directs inbound traffic to the appropriate wordpress instance/container, and your is_ip_valid function as shipped does not handle them correctly.

    Plugin Author WPChef

    (@wpchefgadget)

    Thank you for this information, we’ll add the port check in the next version of the plugin.

    Plugin Author WPChef

    (@wpchefgadget)

    This has been resolved with the new version.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘You have a defect in core/LimitLoginAttempts.php’ is closed to new replies.

Tags