diff options
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller.rb | 1 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/base.rb | 4 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/dispatcher.rb | 8 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/middleware_stack.rb | 42 | ||||
| -rwxr-xr-x | actionpack/lib/action_controller/request.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/asset_tag_helper.rb | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 8 | ||||
| -rw-r--r-- | actionpack/test/controller/request_test.rb | 9 | ||||
| -rw-r--r-- | actionpack/test/template/text_helper_test.rb | 7 |
10 files changed, 78 insertions, 7 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 1110c5cac6..352c4253f4 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *2.3.0 [Edge]* +* Allow users to opt out of the spoofing checks in Request#remote_ip. Useful for sites whose traffic regularly triggers false positives. [Darren Boyd] + * Deprecated formatted_polymorphic_url. [Jeremy Kemper] * Added the option to declare an asset_host as an object that responds to call (see http://github.com/dhh/asset-hosting-with-minimum-ssl for an example) [DHH] diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb index da5f1e81e6..2981f625a1 100644 --- a/actionpack/lib/action_controller.rb +++ b/actionpack/lib/action_controller.rb @@ -57,6 +57,7 @@ module ActionController autoload :Integration, 'action_controller/integration' autoload :IntegrationTest, 'action_controller/integration' autoload :Layout, 'action_controller/layout' + autoload :MiddlewareStack, 'action_controller/middleware_stack' autoload :MimeResponds, 'action_controller/mime_responds' autoload :PolymorphicRoutes, 'action_controller/polymorphic_routes' autoload :RackRequest, 'action_controller/rack_process' diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index dca66ff0a5..c2f0c1c4f6 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -327,6 +327,10 @@ module ActionController #:nodoc: # sets it to <tt>:authenticity_token</tt> by default. cattr_accessor :request_forgery_protection_token + # Controls the IP Spoofing check when determining the remote IP. + @@ip_spoofing_check = true + cattr_accessor :ip_spoofing_check + # Indicates whether or not optimise the generated named # route helper methods cattr_accessor :optimise_named_routes diff --git a/actionpack/lib/action_controller/dispatcher.rb b/actionpack/lib/action_controller/dispatcher.rb index e7345621cc..47199af2b4 100644 --- a/actionpack/lib/action_controller/dispatcher.rb +++ b/actionpack/lib/action_controller/dispatcher.rb @@ -85,6 +85,9 @@ module ActionController end end + cattr_accessor :middleware + self.middleware = MiddlewareStack.new + cattr_accessor :error_file_path self.error_file_path = Rails.public_path if defined?(Rails.public_path) @@ -93,6 +96,7 @@ module ActionController def initialize(output = $stdout, request = nil, response = nil) @output, @request, @response = output, request, response + @app = @@middleware.build(lambda { |env| self._call(env) }) end def dispatch_unlocked @@ -127,6 +131,10 @@ module ActionController end def call(env) + @app.call(env) + end + + def _call(env) @request = RackRequest.new(env) @response = RackResponse.new(@request) dispatch diff --git a/actionpack/lib/action_controller/middleware_stack.rb b/actionpack/lib/action_controller/middleware_stack.rb new file mode 100644 index 0000000000..1864bed23a --- /dev/null +++ b/actionpack/lib/action_controller/middleware_stack.rb @@ -0,0 +1,42 @@ +module ActionController + class MiddlewareStack < Array + class Middleware + attr_reader :klass, :args, :block + + def initialize(klass, *args, &block) + @klass = klass.is_a?(Class) ? klass : klass.to_s.constantize + @args = args + @block = block + end + + def ==(middleware) + case middleware + when Middleware + klass == middleware.klass + when Class + klass == middleware + else + klass == middleware.to_s.constantize + end + end + + def inspect + str = @klass.to_s + @args.each { |arg| str += ", #{arg.inspect}" } + str + end + + def build(app) + klass.new(app, *args, &block) + end + end + + def use(*args, &block) + push(Middleware.new(*args, &block)) + end + + def build(app) + reverse.inject(app) { |a, e| e.build(a) } + end + end +end diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb index baa955cb04..087fffe87d 100755 --- a/actionpack/lib/action_controller/request.rb +++ b/actionpack/lib/action_controller/request.rb @@ -218,7 +218,7 @@ module ActionController remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',') if @env.include? 'HTTP_CLIENT_IP' - if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP']) + if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP']) # We don't know which came from the proxy, and which from the user raise ActionControllerError.new(<<EOM) IP spoofing attack?! diff --git a/actionpack/lib/action_view/helpers/asset_tag_helper.rb b/actionpack/lib/action_view/helpers/asset_tag_helper.rb index 4ec7a383e5..0633d5414e 100644 --- a/actionpack/lib/action_view/helpers/asset_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/asset_tag_helper.rb @@ -574,7 +574,7 @@ module ActionView private def request - @controller.request + request? && @controller.request end def request? diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 506138a735..1d9e4fe9b8 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -370,8 +370,8 @@ module ActionView options.reverse_merge!(:link => :all, :html => {}) case options[:link].to_sym - when :all then auto_link_email_addresses(auto_link_urls(text, options[:html], &block), &block) - when :email_addresses then auto_link_email_addresses(text, &block) + when :all then auto_link_email_addresses(auto_link_urls(text, options[:html], &block), options[:html], &block) + when :email_addresses then auto_link_email_addresses(text, options[:html], &block) when :urls then auto_link_urls(text, options[:html], &block) end end @@ -559,7 +559,7 @@ module ActionView # Turns all email addresses into clickable links. If a block is given, # each email is yielded and the result is used as the link text. - def auto_link_email_addresses(text) + def auto_link_email_addresses(text, html_options = {}) body = text.dup text.gsub(/([\w\.!#\$%\-+.]+@[A-Za-z0-9\-]+(\.[A-Za-z0-9\-]+)+)/) do text = $1 @@ -568,7 +568,7 @@ module ActionView text else display_text = (block_given?) ? yield(text) : text - %{<a href="mailto:#{text}">#{display_text}</a>} + mail_to text, display_text, html_options end end end diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb index 316a203e97..ba4a6da39b 100644 --- a/actionpack/test/controller/request_test.rb +++ b/actionpack/test/controller/request_test.rb @@ -66,6 +66,15 @@ class RequestTest < ActiveSupport::TestCase assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message + # turn IP Spoofing detection off. + # This is useful for sites that are aimed at non-IP clients. The typical + # example is WAP. Since the cellular network is not IP based, it's a + # leap of faith to assume that their proxies are ever going to set the + # HTTP_CLIENT_IP/HTTP_X_FORWARDED_FOR headers properly. + ActionController::Base.ip_spoofing_check = false + assert_equal('8.8.8.8', @request.remote_ip(true)) + ActionController::Base.ip_spoofing_check = true + @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9' assert_equal '8.8.8.8', @request.remote_ip(true) diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index 3e7a8f3e44..a6200fbdd7 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -262,6 +262,11 @@ class TextHelperTest < ActionView::TestCase email2_result = %{<a href="mailto:#{email2_raw}">#{email2_raw}</a>} assert_equal email2_result, auto_link(email2_raw) + email3_raw = '+david@loudthinking.com' + email3_result = %{<a href="mailto:+%64%61%76%69%64@%6c%6f%75%64%74%68%69%6e%6b%69%6e%67.%63%6f%6d">#{email3_raw}</a>} + assert_equal email3_result, auto_link(email3_raw, :all, :encode => :hex) + assert_equal email3_result, auto_link(email3_raw, :email_addresses, :encode => :hex) + link2_raw = 'www.rubyonrails.com' link2_result = generate_result(link2_raw, "http://#{link2_raw}") assert_equal %(Go to #{link2_result}), auto_link("Go to #{link2_raw}", :urls) @@ -362,7 +367,7 @@ class TextHelperTest < ActionView::TestCase end def test_auto_link_with_options_hash - assert_dom_equal 'Welcome to my new blog at <a href="http://www.myblog.com/" class="menu" target="_blank">http://www.myblog.com/</a>. Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.', + assert_dom_equal 'Welcome to my new blog at <a href="http://www.myblog.com/" class="menu" target="_blank">http://www.myblog.com/</a>. Please e-mail me at <a href="mailto:me@email.com" class="menu" target="_blank">me@email.com</a>.', auto_link("Welcome to my new blog at http://www.myblog.com/. Please e-mail me at me@email.com.", :link => :all, :html => { :class => "menu", :target => "_blank" }) end |