aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/request.rb
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2008-06-03 18:11:47 -0500
committerDavid Heinemeier Hansson <david@loudthinking.com>2008-06-03 18:11:47 -0500
commitedfa195e2ace7b4fb8195333c6e44e6bf8986c11 (patch)
tree9713858ed89a82f19c269bbde124b1077b1b9d06 /actionpack/lib/action_controller/request.rb
parent8afa725f4b98a6e0ceee4792e8ebaebb6189e5f6 (diff)
downloadrails-edfa195e2ace7b4fb8195333c6e44e6bf8986c11.tar.gz
rails-edfa195e2ace7b4fb8195333c6e44e6bf8986c11.tar.bz2
rails-edfa195e2ace7b4fb8195333c6e44e6bf8986c11.zip
Fixed Request#remote_ip to only raise hell if the HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR doesnt match (not just if theyre both present) [Mark Imbriaco, Bradford Folkens]
Diffstat (limited to 'actionpack/lib/action_controller/request.rb')
-rwxr-xr-xactionpack/lib/action_controller/request.rb9
1 files changed, 5 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index a35b904194..9b02f2c8a1 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -134,14 +134,15 @@ module ActionController
# REMOTE_ADDR is a proxy. HTTP_X_FORWARDED_FOR may be a comma-
# delimited list in the case of multiple chained proxies; the last
# address which is not trusted is the originating IP.
-
def remote_ip
if TRUSTED_PROXIES !~ @env['REMOTE_ADDR']
return @env['REMOTE_ADDR']
end
+ remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
+
if @env.include? 'HTTP_CLIENT_IP'
- if @env.include? 'HTTP_X_FORWARDED_FOR'
+ if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
# We don't know which came from the proxy, and which from the user
raise ActionControllerError.new(<<EOM)
IP spoofing attack?!
@@ -149,11 +150,11 @@ HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}
HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}
EOM
end
+
return @env['HTTP_CLIENT_IP']
end
- if @env.include? 'HTTP_X_FORWARDED_FOR' then
- remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',')
+ if remote_ips
while remote_ips.size > 1 && TRUSTED_PROXIES =~ remote_ips.last.strip
remote_ips.pop
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 11:22:08 +0000