$NetBSD: patch-ae,v 1.1 2011/01/06 14:23:41 taca Exp $

* Prevent the X_FORWARDED_FOR header against XSS attacks, from repository r587.

--- system/libraries/Environment.php.orig	2010-04-12 15:52:19.000000000 +0000
+++ system/libraries/Environment.php
@@ -312,7 +312,11 @@ class Environment
 	 */
 	protected function ip()
 	{
-		return !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
+        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match('/^[A-Fa-f0-9, \.\:]+$/', $_SERVER['HTTP_X_FORWARDED_FOR']))
+		{
+			return $_SERVER['HTTP_X_FORWARDED_FOR'];
+		}
+		return $_SERVER['REMOTE_ADDR'];
 	}
 
 
