make sure both headers are set before checking for ip spoofing

author: Tamir Duberstein <tamird@squareup.com> 2013-06-04 15:01:08 -0700
committer: Tamir Duberstein <tamird@squareup.com> 2013-10-01 01:26:07 -0700
commit: 85106decc41f1695ff6fe54452168237fd0f98d0 (patch)
tree: 8e92885aa33b10f2109d365367b68724c42810f3 /actionpack/lib
parent: ccd11d58910059f07b28cc518dbdad42cbc8ea0c (diff)
download: rails-85106decc41f1695ff6fe54452168237fd0f98d0.tar.gz
rails-85106decc41f1695ff6fe54452168237fd0f98d0.tar.bz2
rails-85106decc41f1695ff6fe54452168237fd0f98d0.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
index 66ece60860..f4545bd95e 100644
--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -49,7 +49,7 @@ module ActionDispatch
         forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
         remote_addrs  = ips_from('REMOTE_ADDR')
 
-        check_ip = client_ip && @middleware.check_ip
+        check_ip = client_ip && forwarded_ips.present? && @middleware.check_ip
         if check_ip && !forwarded_ips.include?(client_ip)
           # We don't know which came from the proxy, and which from the user
           raise IpSpoofAttackError, "IP spoofing attack?!" \
author	Tamir Duberstein <tamird@squareup.com>	2013-06-04 15:01:08 -0700
committer	Tamir Duberstein <tamird@squareup.com>	2013-10-01 01:26:07 -0700
commit	85106decc41f1695ff6fe54452168237fd0f98d0 (patch)
tree	8e92885aa33b10f2109d365367b68724c42810f3 /actionpack/lib
parent	ccd11d58910059f07b28cc518dbdad42cbc8ea0c (diff)
download	rails-85106decc41f1695ff6fe54452168237fd0f98d0.tar.gz rails-85106decc41f1695ff6fe54452168237fd0f98d0.tar.bz2 rails-85106decc41f1695ff6fe54452168237fd0f98d0.zip