Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3432152

Timestamp:

01/04/2026 03:37:55 PM (3 months ago)

Author:

edward_plainview

Message:

MCC v2.158 code

Location:

mycryptocheckout/trunk

Files:

: 3 edited

MyCryptoCheckout.php (modified) (2 diffs)
readme.txt (modified) (2 diffs)
vendor/mycryptocheckout/api/src/v2/API.php (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

mycryptocheckout/trunk/MyCryptoCheckout.php

-                      r3431562
+                      r3432152
 Plugin URI:         https://mycryptocheckout.com
 Text Domain:        mycryptocheckout
 Version:            2.157
+Version:            2.158
 WC tested up to:    10.4.3
 License:            GPLv3
 …
 namespace
+{
     define( 'MYCRYPTOCHECKOUT_PLUGIN_VERSION', 2.157 );
+    define( 'MYCRYPTOCHECKOUT_PLUGIN_VERSION', 2.158 );
     /**
         @brief      Return the instance of MCC.

mycryptocheckout/trunk/readme.txt

-                      r3431562
+                      r3432152
 Requires at least: 6.2
 Requires PHP: 8.0
 Stable tag: 2.157
+Stable tag: 2.158
 Tags: bitcoin, ethereum, payments, woocommerce, bitcoin woocommerce
 Tested up to: 6.9
 …
 == Changelog ==
+= 2.158 =
+* Fix: Fixed cloudflare ipv6 detection code.
+* Fix: Added support for hosts that pretend they are behind cloudflare, but aren't.
 = 2.157 =

mycryptocheckout/trunk/vendor/mycryptocheckout/api/src/v2/API.php

-                      r3431562
+                      r3432152
     **/
     public static $api_url = 'https://api.mycryptocheckout.com/v2/';
     /**
 …
     public abstract function get_client_url();
+    /**
+     * Check if an IP address is a valid Cloudflare proxy IP.
+     *
+     * @param string $ip The IP address to check (IPv4 or IPv6).
+     * @return bool True if the IP is in Cloudflare's ranges, false otherwise.
+     */
+    function is_cloudflare_ip(string $ip): bool
+    {
+        // Validate IP format first
+        if (filter_var($ip, FILTER_VALIDATE_IP) === false) {
+            return false;
+        }
+        // Cloudflare IPv4 ranges (as of January 2026 - update periodically from https://www.cloudflare.com/ips/)
+    function is_cloudflare_ip( string $ip ): bool
+    {
+        // Cloudflare Ranges (Recommend fetching these via transient cache instead)
         $ipv4_ranges = [
+            '173.245.48.0/20',
+            '103.21.244.0/22',
+            '103.22.200.0/22',
+            '103.31.4.0/22',
+            '141.101.64.0/18',
+            '108.162.192.0/18',
+            '190.93.240.0/20',
+            '188.114.96.0/20',
+            '197.234.240.0/22',
+            '198.41.128.0/17',
+            '162.158.0.0/15',
+            '104.16.0.0/13',
+            '104.24.0.0/14',
+            '172.64.0.0/13',
+            '131.0.72.0/22'
+            '173.245.48.0/20', '103.21.244.0/22', '103.22.200.0/22', '103.31.4.0/22',
+            '141.101.64.0/18', '108.162.192.0/18', '190.93.240.0/20', '188.114.96.0/20',
+            '197.234.240.0/22', '198.41.128.0/17', '162.158.0.0/15', '104.16.0.0/13',
+            '104.24.0.0/14', '172.64.0.0/13', '131.0.72.0/22'
         ];
-        // Cloudflare IPv6 ranges
         $ipv6_ranges = [
+            '2400:cb00::/32',
+            '2606:4700::/32',
+            '2803:f800::/32',
+            '2405:b500::/32',
+            '2405:8100::/32',
+            '2a06:98c0::/29',
+            '2c0f:f248::/32'
+            '2400:cb00::/32', '2606:4700::/32', '2803:f800::/32', '2405:b500::/32',
+            '2405:8100::/32', '2a06:98c0::/29', '2c0f:f248::/32'
         ];
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            $long_ip = sprintf("%u", ip2long($ip));
+            foreach ($ipv4_ranges as $cidr) {
+                list($subnet, $bits) = explode('/', $cidr);
+                $subnet_long = sprintf("%u", ip2long($subnet));
+                $mask = ~((1 << (32 - $bits)) - 1);
+                if (($long_ip & $mask) === $subnet_long) {
+        // Check IPv4
+        if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 ) ) {
+            $ip_long = ip2long( $ip );
+            foreach ( $ipv4_ranges as $range ) {
+                list( $subnet, $bits ) = explode( '/', $range );
+                $subnet_long = ip2long( $subnet );
+                $mask = -1 << ( 32 - $bits );
+                $subnet_long &= $mask;
+                if ( ( $ip_long & $mask ) == $subnet_long ) {
                     return true;
+                }
+            }
+        }
+        elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            // Convert IPv6 to 128-bit integer representation (using GMP for accuracy)
+            $unpacked = inet_pton($ip);
+            if ($unpacked === false) {
+                return false;
+            }
+            $hex = bin2hex($unpacked);
+            $ip_int = gmp_init($hex, 16);
+            foreach ($ipv6_ranges as $cidr) {
+                list($subnet, $bits) = explode('/', $cidr);
+                $unpacked_subnet = inet_pton($subnet);
+                $hex_subnet = bin2hex($unpacked_subnet);
+                $subnet_int = gmp_init($hex_subnet, 16);
+                $mask_int = gmp_init('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF', 16); // Full 128-bit mask
+                if ($bits < 128) {
+                    $shift = 128 - $bits;
+                    $mask_int = gmp_shiftl($mask_int, -$shift); // Equivalent to left shift negative
+        // Check IPv6 (No GMP required)
+        elseif ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) ) {
+            $ip_binary = inet_pton( $ip );
+            foreach ( $ipv6_ranges as $range ) {
+                list( $subnet, $bits ) = explode( '/', $range );
+                $subnet_binary = inet_pton( $subnet );
+                // Create the mask
+                // IPv6 is 16 bytes (128 bits)
+                $mask = str_repeat( "\x00", 16 );
+                for( $i = 0; $i < 16; $i++ ) {
+                    if( $bits >= 8 ) {
+                        $mask[$i] = "\xff";
+                        $bits -= 8;
+                    } else {
+                        $mask[$i] = chr( 0xff << ( 8 - $bits ) );
+                        $bits = 0;
+                    }
+                }
                 $masked_ip = gmp_and($ip_int, $mask_int);
                 if (gmp_cmp($masked_ip, $subnet_int) === 0) {
+                // Binary string comparison
+                if ( ( $ip_binary & $mask ) === ( $subnet_binary & $mask ) ) {
                     return true;
+                }
 …
         return false;
+    }
+    }
     /**
 …
         $remote_ip = $_SERVER['REMOTE_ADDR'];
         // Cloudflare adds a header with the visitor's real IP, which is what we need to check.
+        // Some hosts add a Cloudflare header with the visitor's real IP, which is what we need to check.
         if ( isset( $_SERVER[ 'HTTP_CF_CONNECTING_IP' ] ) )
+        {
+            if ( $this->is_cloudflare_ip( $remote_ip ) )
+                $remote_ip = $_SERVER[ 'HTTP_CF_CONNECTING_IP' ];
+            else
+                throw new Exception( sprintf( 'Spoofed IP address %s generated from %s', $_SERVER[ 'HTTP_CF_CONNECTING_IP' ] , $remote_ip ) );
+            // We are only interested in the HTTP_CF_CONNECTING_IP if it is NOT the same as the remote IP.
+            if ( $_SERVER[ 'HTTP_CF_CONNECTING_IP' ] !== $remote_ip )
+            {
+                if ( $this->is_cloudflare_ip( $remote_ip ) )
+                    $remote_ip = $_SERVER[ 'HTTP_CF_CONNECTING_IP' ];
+                else
+                {
+                    throw new Exception( sprintf( 'Spoofed IP address %s generated from %s', $_SERVER[ 'HTTP_CF_CONNECTING_IP' ] , $remote_ip ) );
+                }
+            }
+        }

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3432152

Legend:

mycryptocheckout/trunk/MyCryptoCheckout.php

mycryptocheckout/trunk/readme.txt

mycryptocheckout/trunk/vendor/mycryptocheckout/api/src/v2/API.php

Download in other formats: