From 85106decc41f1695ff6fe54452168237fd0f98d0 Mon Sep 17 00:00:00 2001
From: Tamir Duberstein <tamird@squareup.com>
Date: Tue, 4 Jun 2013 15:01:08 -0700
Subject: make sure both headers are set before checking for ip spoofing

---
 actionpack/CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'actionpack/CHANGELOG.md')

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 906592874d..31136d91b3 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## unreleased ##
 
+*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
+    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+
+    Fixes #12410
+    Backports #10844
+
+    *Tamir Duberstein*
+
 *   Fix the assert_recognizes test method so that it works when there are
     constraints on the querystring.
 
-- 
cgit v1.2.3