RequestFactory: correctly ignores not-ip values in HTTP_X_FORWARDED_FOR & REMOTE_ADDR (#122)

Author: hrach

src/Http/RequestFactory.php

@@ -247,7 +247,7 @@ public function createHttpRequest(): Request
 				if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 					$xForwardedForWithoutProxies = array_filter(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']), function ($ip) {
 						return !array_filter($this->proxies, function ($proxy) use ($ip) {
-							return Helpers::ipMatch(trim($ip), $proxy);
+							return filter_var(trim($ip), FILTER_VALIDATE_IP) !== FALSE && Helpers::ipMatch(trim($ip), $proxy);
 						});
 					});
 					$remoteAddr = trim(end($xForwardedForWithoutProxies));

tests/Http/RequestFactory.proxy.x-forwarded.phpt

@@ -35,8 +35,8 @@ test(function () {
 	$_SERVER = [
 		'REMOTE_ADDR' => '10.0.0.2', //proxy2
 		'REMOTE_HOST' => 'proxy2',
-		'HTTP_X_FORWARDED_FOR' => '123.123.123.123, 172.16.0.1, 10.0.0.1',
-		'HTTP_X_FORWARDED_HOST' => 'fake, real, proxy1',
+		'HTTP_X_FORWARDED_FOR' => '123.123.123.123, not-ip.com, 172.16.0.1, 10.0.0.1',
+		'HTTP_X_FORWARDED_HOST' => 'fake, not-ip.com, real, proxy1',
 	];
 
 	$factory = new RequestFactory;