Making the IP Spoofing check in AbstractRequest#remote_ip configurable.

Certain groups of web proxies do not set these values properly.  Notably,
proxies for cell phones, which often do not set the remote IP information
correctly (not surprisingly, since the clients do not have an IP address).

Allowing this to be configurable makes it possible for developers to choose
to ignore this simple spoofing check, when a significant amount of their
traffic would result in false positives anyway.

Signed-off-by: Michael Koziarski <michael@koziarski.com>

[#1200 state:committed]

1 files changed, 9 insertions, 0 deletions

diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb
index 316a203e97..ba4a6da39b 100644
--- a/actionpack/test/controller/request_test.rb
+++ b/actionpack/test/controller/request_test.rb
@@ -66,6 +66,15 @@ class RequestTest < ActiveSupport::TestCase
     assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message
     assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message
 
+    # turn IP Spoofing detection off.
+    # This is useful for sites that are aimed at non-IP clients.  The typical
+    # example is WAP.  Since the cellular network is not IP based, it's a
+    # leap of faith to assume that their proxies are ever going to set the
+    # HTTP_CLIENT_IP/HTTP_X_FORWARDED_FOR headers properly.
+    ActionController::Base.ip_spoofing_check = false
+    assert_equal('8.8.8.8', @request.remote_ip(true))
+    ActionController::Base.ip_spoofing_check = true
+
     @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9'
     assert_equal '8.8.8.8', @request.remote_ip(true)