Don’t even attempt to use the unsafe option

xwp · Oct 16, 2023 · dde743a · dde743a
1 parent d2f7a11
commit dde743a
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 58 deletions.
diff --git a/classes/class-log.php b/classes/class-log.php
@@ -75,11 +75,6 @@ public function log( $connector, $message, $args, $object_id, $context, $action,
 
 		$ip_address = $this->plugin->get_client_ip_address();
 
-		// Fallback to unsafe IP extracted from the request HTTP headers.
-		if ( empty( $ip_address ) ) {
-			$ip_address = $this->plugin->get_unsafe_client_ip_address();
-		}
-
 		$user = new \WP_User( $user_id );
 
 		if ( $this->is_record_excluded( $connector, $context, $action, $user, $ip_address ) ) {

diff --git a/classes/class-plugin.php b/classes/class-plugin.php
@@ -334,39 +334,4 @@ public function is_mustuse() {
 	public function get_client_ip_address() {
 		return apply_filters( 'wp_stream_client_ip_address', $this->client_ip_address );
 	}
-
-	/**
-	 * Get the client IP address from the HTTP request headers.
-	 *
-	 * There is no guarantee that this is the real IP address of the client.
-	 *
-	 * @return string|null
-	 */
-	public function get_unsafe_client_ip_address() {
-		// List of $_SERVER keys that could contain the client IP address.
-		$address_headers = array(
-			'HTTP_X_FORWARDED_FOR',
-			'HTTP_FORWARDED_FOR',
-		);
-
-		foreach ( $address_headers as $header ) {
-			if ( ! empty( $_SERVER[ $header ] ) ) {
-				$header_client_ip = $_SERVER[ $header ];
-
-				// Account for multiple IPs in case of multiple proxies.
-				if ( false !== strpos( $header_client_ip, ',' ) ) {
-					$header_client_ips = explode( ',', $header_client_ip );
-					$header_client_ip  = $header_client_ips[0];
-				}
-
-				$client_ip = wp_stream_filter_var( trim( $header_client_ip ), FILTER_VALIDATE_IP );
-
-				if ( ! empty( $client_ip ) ) {
-					return $client_ip;
-				}
-			}
-		}
-
-		return null;
-	}
 }
diff --git a/tests/tests/test-class-plugin.php b/tests/tests/test-class-plugin.php
@@ -88,22 +88,4 @@ public function test_get_version() {
 	public function test_get_client_ip_address() {
 		$this->assertEquals( $_SERVER['REMOTE_ADDR'], $this->plugin->get_client_ip_address() );
 	}
-
-	public function test_get_unsafe_client_ip_address() {
-		$_SERVER['HTTP_X_FORWARDED_FOR'] = ' 123.123.123.123 , 321.123.123.123, 456.123.123.123 ';
-
-		$this->assertEquals(
-			'123.123.123.123',
-			$this->plugin->get_unsafe_client_ip_address(),
-			'Use the first IP from the list'
-		);
-
-		$_SERVER['HTTP_X_FORWARDED_FOR'] = '827.invalid-ip';
-
-		$this->assertEquals(
-			false,
-			$this->plugin->get_unsafe_client_ip_address(),
-			'Invalid IP format should fail the validation'
-		);
-	}
 }