Request#remote_ip handles the uncommon case that REMOTE_ADDR is a comma-separated list.

[#523 state:resolved]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>

2 files changed, 8 insertions, 3 deletions

diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index 364e6201cc..d793ade702 100644..100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -197,10 +197,12 @@ module ActionController
     # delimited list in the case of multiple chained proxies; the last
     # address which is not trusted is the originating IP.
     def remote_ip
-      if TRUSTED_PROXIES !~ @env['REMOTE_ADDR']
-        return @env['REMOTE_ADDR']
-      end
+      remote_addr_list = @env['REMOTE_ADDR'] && @env['REMOTE_ADDR'].split(',').collect(&:strip)
 
+      unless remote_addr_list.blank?
+        not_trusted_addrs = remote_addr_list.reject {|addr| addr =~ TRUSTED_PROXIES}
+        return not_trusted_addrs.first unless not_trusted_addrs.empty?
+      end
       remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
 
       if @env.include? 'HTTP_CLIENT_IP'
diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb
index 045dab4141..e79a0ea76b 100644
--- a/actionpack/test/controller/request_test.rb
+++ b/actionpack/test/controller/request_test.rb
@@ -17,6 +17,9 @@ class RequestTest < Test::Unit::TestCase
     @request.remote_addr = '1.2.3.4'
     assert_equal '1.2.3.4', @request.remote_ip(true)
 
+    @request.remote_addr = '1.2.3.4,3.4.5.6'
+    assert_equal '1.2.3.4', @request.remote_ip(true)
+
     @request.env['HTTP_CLIENT_IP'] = '2.3.4.5'
     assert_equal '1.2.3.4', @request.remote_ip(true)