Use string format type of 'ipv4' to validate comment author IP address

rachelbaker · rachelbaker · commit 52542d316a8a · 2016-05-08T10:38:50.000-05:00
New function `rest_is_ip_address()` checks if a value is a valid v4 IP address. It uses regex because core cannot guarantee support for `filter_var`.
diff --git a/lib/endpoints/class-wp-rest-comments-controller.php b/lib/endpoints/class-wp-rest-comments-controller.php
@@ -748,11 +748,7 @@ protected function prepare_item_for_database( $request ) {
 		}
 
 		if ( isset( $request['author_ip'] ) ) {
-			if ( filter_var( $request['author_ip'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) ) {
-				$prepared_comment['comment_author_IP'] = $request['author_ip'];
-			} else {
-				return new WP_Error( 'rest_comment_invalid_author_ip', __( 'The IP address you provided is invalid.' ), array( 'status' => 400 ) );
-			}
+			$prepared_comment['comment_author_IP'] = $request['author_ip'];
 		}
 
 		if ( isset( $request['type'] ) ) {
@@ -811,6 +807,7 @@ public function get_item_schema() {
 				'author_ip'     => array(
 					'description'  => __( 'IP address for the object author.' ),
 					'type'         => 'string',
+					'format'       => 'ipv4',
 					'context'      => array( 'edit' ),
 				),
 				'author_name'     => array(
diff --git a/plugin.php b/plugin.php
@@ -320,6 +320,11 @@ function rest_validate_request_arg( $value, $request, $param ) {
 						return new WP_Error( 'rest_invalid_email', __( 'The email address you provided is invalid.' ) );
 					}
 					break;
+				case 'ipv4' :
+					if ( ! rest_is_ip_address( $value ) ) {
+						return new WP_Error( 'rest_invalid_param', sprintf( __( '%s is not a valid IP address.'), $value ) );
+					}
+					break;
 			}
 		}
 
@@ -395,10 +400,33 @@ function rest_sanitize_request_arg( $value, $request, $param ) {
 
 				case 'uri' :
 					return esc_url_raw( $value );
+
+				case 'ipv4' :
+					return sanitize_text_field( $value );
 			}
 		}
 
 		return $value;
 	}
 
 }
+
+if ( ! function_exists( 'rest_is_ip_address' ) ) {
+	/**
+	 * Determines if a IPv4 address is valid.
+	 *
+	 * Does not handle IPv6 addresses.
+	 *
+	 * @param  string $ipv4 IP 32-bit address.
+	 * @return string|false The valid IPv4 address, otherwise false.
+	 */
+	function rest_is_ip_address( $ipv4 ) {
+		$pattern = '/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/';
+
+		if ( ! preg_match( $pattern, $ipv4 ) ) {
+			return false;
+		}
+
+		return $ipv4;
+	}
+}
