From edfa195e2ace7b4fb8195333c6e44e6bf8986c11 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Tue, 3 Jun 2008 18:11:47 -0500
Subject: Fixed Request#remote_ip to only raise hell if the HTTP_CLIENT_IP and
 HTTP_X_FORWARDED_FOR doesnt match (not just if theyre both present) [Mark
 Imbriaco, Bradford Folkens]

---
 actionpack/lib/action_controller/request.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib/action_controller')

diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index a35b904194..9b02f2c8a1 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -134,14 +134,15 @@ module ActionController
     # REMOTE_ADDR is a proxy.  HTTP_X_FORWARDED_FOR may be a comma-
     # delimited list in the case of multiple chained proxies; the last
     # address which is not trusted is the originating IP.
-
     def remote_ip
       if TRUSTED_PROXIES !~ @env['REMOTE_ADDR']
         return @env['REMOTE_ADDR']
       end
 
+      remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
+
       if @env.include? 'HTTP_CLIENT_IP'
-        if @env.include? 'HTTP_X_FORWARDED_FOR'
+        if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
           # We don't know which came from the proxy, and which from the user
           raise ActionControllerError.new(<<EOM)
 IP spoofing attack?!
@@ -149,11 +150,11 @@ HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}
 HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}
 EOM
         end
+
         return @env['HTTP_CLIENT_IP']
       end
 
-      if @env.include? 'HTTP_X_FORWARDED_FOR' then
-        remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',')
+      if remote_ips
         while remote_ips.size > 1 && TRUSTED_PROXIES =~ remote_ips.last.strip
           remote_ips.pop
         end
-- 
cgit v1.2.3