From f32890d9de27ffe7c2bb223d900c025f7b80b44e Mon Sep 17 00:00:00 2001
From: Jason <hello@jasonstockman.com>
Date: Wed, 29 Oct 2014 16:56:03 -0700
Subject: [PATCH] update $_SERVER[] value check

Added error handling if the IP cant be detected in $_SESSION
---
 csrf-magic.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/csrf-magic.php b/csrf-magic.php
index 58f4eba..35e17d6 100644
--- a/csrf-magic.php
+++ b/csrf-magic.php
@@ -215,9 +215,9 @@ function csrf_get_tokens() {
     // any cookies. It may or may not be used, depending on whether or not
     // the cookies "stick"
     $secret = csrf_get_secret();
-    if (!$has_cookies && $secret) {
+    if (!$has_cookies && $secret && (isset($_SERVER['IP_ADDRESS']) || isset($_SERVER['REMOTE_ADDR']) )) {
         // :TODO: Harden this against proxy-spoofing attacks
-        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
+        $ip = ';ip:' . csrf_hash( isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR'] ) ;
     } else {
         $ip = '';
     }
@@ -327,7 +327,10 @@ function csrf_check_token($token) {
             if ($GLOBALS['csrf']['user'] !== false) return false;
             if (!empty($_COOKIE)) return false;
             if (!$GLOBALS['csrf']['allow-ip']) return false;
-            return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
+            if (isset($_SERVER['IP_ADDRESS']) || isset($_SERVER['REMOTE_ADDR']) ) {
+                return $value === csrf_hash(isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR'], $time);
+            }
+            return false;
     }
     return false;
 }