From c06cb17d4b0e23d0547fde930ac5ff14799e0a09 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Thu, 24 Jul 2014 10:33:49 +0100
Subject: [PATCH] Use REMOTE_ADDR which is more reliably set.

Thanks Bianka Martinovic for reporting.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 NEWS.txt       | 7 +++++++
 csrf-magic.php | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/NEWS.txt b/NEWS.txt
index 66d52f6..a8bf21c 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -1,6 +1,13 @@
 
                             [[     news     ]]
 
+1.0.5 released 2014-07-24
+
+  [BUG FIXES]
+
+    - In some server environments, IP address was not being detected
+      properly.  Thanks Bianka Martinovic for reporting.
+
 1.0.4 released 2013-07-17
 
   [SECURITY FIXES]
diff --git a/csrf-magic.php b/csrf-magic.php
index 58f4eba..bdbc612 100644
--- a/csrf-magic.php
+++ b/csrf-magic.php
@@ -217,7 +217,7 @@ function csrf_get_tokens() {
     $secret = csrf_get_secret();
     if (!$has_cookies && $secret) {
         // :TODO: Harden this against proxy-spoofing attacks
-        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
+        $ip = ';ip:' . csrf_hash($_SERVER['REMOTE_ADDR']);
     } else {
         $ip = '';
     }
-- 
2.11.4.GIT