RFC1918 space not failing validation

[the-ercules]

Based on the code in LookingGlass.php, part of the validation process is to reject RFC1918 (private, ex 10.x.x.x. 192.168.x.x, etc.) IP space, but after the validIP function fails, an IP address can be allowed through the validURL function. I added some code in the validURL function to catch an IP address that sneaks through the validIP function. Only a private IP would get this far, so any IP address is rejected.

private function validUrl($url)
{
    // check for http
    if (stripos($url, 'http') === false) {
        $url = 'http://' . $url;
    }
    // validate url
    if (filter_var($url, FILTER_VALIDATE_URL)) {
        // parse url for host
        if ($host = parse_url($url, PHP_URL_HOST)) {
            //check if an IP address made it this far and fail validation (useful for filtering out private space)
            if (filter_var($host, FILTER_VALIDATE_IP)) {
                return false;
            }
            //otherwise return just the host (not full url)
            return $host;
        }
        return $url;
    }
    return false;
}