Merge pull request #12410 from tamird/fix-ip-spoof-errors

Fix ip spoof errors
author: Andrew White <andyw@pixeltrix.co.uk> 2013-10-01 01:28:07 -0700
committer: Andrew White <andyw@pixeltrix.co.uk> 2013-10-01 01:28:07 -0700
commit: 83c4b0a7f977b75a9005ceb78d8a2a719392d904 (patch)
tree: 8e92885aa33b10f2109d365367b68724c42810f3 /actionpack/CHANGELOG.md
parent: ccd11d58910059f07b28cc518dbdad42cbc8ea0c (diff)
parent: 85106decc41f1695ff6fe54452168237fd0f98d0 (diff)
download: rails-83c4b0a7f977b75a9005ceb78d8a2a719392d904.tar.gz
rails-83c4b0a7f977b75a9005ceb78d8a2a719392d904.tar.bz2
rails-83c4b0a7f977b75a9005ceb78d8a2a719392d904.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 906592874d..31136d91b3 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## unreleased ##
 
+*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
+    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+
+    Fixes #12410
+    Backports #10844
+
+    *Tamir Duberstein*
+
 *   Fix the assert_recognizes test method so that it works when there are
     constraints on the querystring.
author	Andrew White <andyw@pixeltrix.co.uk>	2013-10-01 01:28:07 -0700
committer	Andrew White <andyw@pixeltrix.co.uk>	2013-10-01 01:28:07 -0700
commit	83c4b0a7f977b75a9005ceb78d8a2a719392d904 (patch)
tree	8e92885aa33b10f2109d365367b68724c42810f3 /actionpack/CHANGELOG.md
parent	ccd11d58910059f07b28cc518dbdad42cbc8ea0c (diff)
parent	85106decc41f1695ff6fe54452168237fd0f98d0 (diff)
download	rails-83c4b0a7f977b75a9005ceb78d8a2a719392d904.tar.gz rails-83c4b0a7f977b75a9005ceb78d8a2a719392d904.tar.bz2 rails-83c4b0a7f977b75a9005ceb78d8a2a719392d904.zip