Merge branch 'master' of git@github.com:rails/rails

4 files changed, 55 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index dca66ff0a5..c2f0c1c4f6 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -327,6 +327,10 @@ module ActionController #:nodoc:
     # sets it to <tt>:authenticity_token</tt> by default.
     cattr_accessor :request_forgery_protection_token
 
+    # Controls the IP Spoofing check when determining the remote IP.
+    @@ip_spoofing_check = true
+    cattr_accessor :ip_spoofing_check
+
     # Indicates whether or not optimise the generated named
     # route helper methods
     cattr_accessor :optimise_named_routes
diff --git a/actionpack/lib/action_controller/dispatcher.rb b/actionpack/lib/action_controller/dispatcher.rb
index e7345621cc..47199af2b4 100644
--- a/actionpack/lib/action_controller/dispatcher.rb
+++ b/actionpack/lib/action_controller/dispatcher.rb
@@ -85,6 +85,9 @@ module ActionController
         end
     end
 
+    cattr_accessor :middleware
+    self.middleware = MiddlewareStack.new
+
     cattr_accessor :error_file_path
     self.error_file_path = Rails.public_path if defined?(Rails.public_path)
 
@@ -93,6 +96,7 @@ module ActionController
 
     def initialize(output = $stdout, request = nil, response = nil)
       @output, @request, @response = output, request, response
+      @app = @@middleware.build(lambda { |env| self._call(env) })
     end
 
     def dispatch_unlocked
@@ -127,6 +131,10 @@ module ActionController
     end
 
     def call(env)
+      @app.call(env)
+    end
+
+    def _call(env)
       @request = RackRequest.new(env)
       @response = RackResponse.new(@request)
       dispatch
diff --git a/actionpack/lib/action_controller/middleware_stack.rb b/actionpack/lib/action_controller/middleware_stack.rb
new file mode 100644
index 0000000000..1864bed23a
--- /dev/null
+++ b/actionpack/lib/action_controller/middleware_stack.rb
@@ -0,0 +1,42 @@
+module ActionController
+  class MiddlewareStack < Array
+    class Middleware
+      attr_reader :klass, :args, :block
+
+      def initialize(klass, *args, &block)
+        @klass = klass.is_a?(Class) ? klass : klass.to_s.constantize
+        @args = args
+        @block = block
+      end
+
+      def ==(middleware)
+        case middleware
+        when Middleware
+          klass == middleware.klass
+        when Class
+          klass == middleware
+        else
+          klass == middleware.to_s.constantize
+        end
+      end
+
+      def inspect
+        str = @klass.to_s
+        @args.each { |arg| str += ", #{arg.inspect}" }
+        str
+      end
+
+      def build(app)
+        klass.new(app, *args, &block)
+      end
+    end
+
+    def use(*args, &block)
+      push(Middleware.new(*args, &block))
+    end
+
+    def build(app)
+      reverse.inject(app) { |a, e| e.build(a) }
+    end
+  end
+end
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index baa955cb04..087fffe87d 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -218,7 +218,7 @@ module ActionController
       remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
 
       if @env.include? 'HTTP_CLIENT_IP'
-        if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
+        if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
           # We don't know which came from the proxy, and which from the user
           raise ActionControllerError.new(<<EOM)
 IP spoofing attack?!