aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/CHANGELOG2
-rw-r--r--actionpack/lib/action_controller/base.rb4
-rwxr-xr-xactionpack/lib/action_controller/request.rb2
-rw-r--r--actionpack/test/controller/request_test.rb9
4 files changed, 16 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 1110c5cac6..352c4253f4 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*2.3.0 [Edge]*
+* Allow users to opt out of the spoofing checks in Request#remote_ip. Useful for sites whose traffic regularly triggers false positives. [Darren Boyd]
+
* Deprecated formatted_polymorphic_url. [Jeremy Kemper]
* Added the option to declare an asset_host as an object that responds to call (see http://github.com/dhh/asset-hosting-with-minimum-ssl for an example) [DHH]
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index dca66ff0a5..c2f0c1c4f6 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -327,6 +327,10 @@ module ActionController #:nodoc:
# sets it to <tt>:authenticity_token</tt> by default.
cattr_accessor :request_forgery_protection_token
+ # Controls the IP Spoofing check when determining the remote IP.
+ @@ip_spoofing_check = true
+ cattr_accessor :ip_spoofing_check
+
# Indicates whether or not optimise the generated named
# route helper methods
cattr_accessor :optimise_named_routes
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index baa955cb04..087fffe87d 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -218,7 +218,7 @@ module ActionController
remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
if @env.include? 'HTTP_CLIENT_IP'
- if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
+ if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
# We don't know which came from the proxy, and which from the user
raise ActionControllerError.new(<<EOM)
IP spoofing attack?!
diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb
index 316a203e97..ba4a6da39b 100644
--- a/actionpack/test/controller/request_test.rb
+++ b/actionpack/test/controller/request_test.rb
@@ -66,6 +66,15 @@ class RequestTest < ActiveSupport::TestCase
assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message
assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message
+ # turn IP Spoofing detection off.
+ # This is useful for sites that are aimed at non-IP clients. The typical
+ # example is WAP. Since the cellular network is not IP based, it's a
+ # leap of faith to assume that their proxies are ever going to set the
+ # HTTP_CLIENT_IP/HTTP_X_FORWARDED_FOR headers properly.
+ ActionController::Base.ip_spoofing_check = false
+ assert_equal('8.8.8.8', @request.remote_ip(true))
+ ActionController::Base.ip_spoofing_check = true
+
@request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9'
assert_equal '8.8.8.8', @request.remote_ip(true)