make sure both headers are set before checking for ip spoofing

author: Tamir Duberstein <tamird@squareup.com> 2013-06-04 15:01:08 -0700
committer: Tamir Duberstein <tamird@squareup.com> 2013-06-04 15:01:08 -0700
commit: ccd6f8b931efa7b3eb191a62522fbfc89389b091 (patch)
tree: b19a87ff66bdd3f956d49eb82c834c4b80b3455b /actionpack
parent: 95296f1a7a2ae0490546c0d3010fc435558911c8 (diff)
download: rails-ccd6f8b931efa7b3eb191a62522fbfc89389b091.tar.gz
rails-ccd6f8b931efa7b3eb191a62522fbfc89389b091.tar.bz2
rails-ccd6f8b931efa7b3eb191a62522fbfc89389b091.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
index 8879291dbd..57bc6d5cd0 100644
--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -143,7 +143,7 @@ module ActionDispatch
         # proxies with incompatible IP header conventions, and there is no way
         # for us to determine which header is the right one after the fact.
         # Since we have no idea, we give up and explode.
-        should_check_ip = @check_ip && client_ips.last
+        should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
         if should_check_ip && !forwarded_ips.include?(client_ips.last)
           # We don't know which came from the proxy, and which from the user
           raise IpSpoofAttackError, "IP spoofing attack?! " +
author	Tamir Duberstein <tamird@squareup.com>	2013-06-04 15:01:08 -0700
committer	Tamir Duberstein <tamird@squareup.com>	2013-06-04 15:01:08 -0700
commit	ccd6f8b931efa7b3eb191a62522fbfc89389b091 (patch)
tree	b19a87ff66bdd3f956d49eb82c834c4b80b3455b /actionpack
parent	95296f1a7a2ae0490546c0d3010fc435558911c8 (diff)
download	rails-ccd6f8b931efa7b3eb191a62522fbfc89389b091.tar.gz rails-ccd6f8b931efa7b3eb191a62522fbfc89389b091.tar.bz2 rails-ccd6f8b931efa7b3eb191a62522fbfc89389b091.zip