From 85106decc41f1695ff6fe54452168237fd0f98d0 Mon Sep 17 00:00:00 2001 From: Tamir Duberstein Date: Tue, 4 Jun 2013 15:01:08 -0700 Subject: make sure both headers are set before checking for ip spoofing --- actionpack/lib/action_dispatch/middleware/remote_ip.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionpack/lib/action_dispatch/middleware/remote_ip.rb') diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb index 66ece60860..f4545bd95e 100644 --- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb +++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb @@ -49,7 +49,7 @@ module ActionDispatch forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR') remote_addrs = ips_from('REMOTE_ADDR') - check_ip = client_ip && @middleware.check_ip + check_ip = client_ip && forwarded_ips.present? && @middleware.check_ip if check_ip && !forwarded_ips.include?(client_ip) # We don't know which came from the proxy, and which from the user raise IpSpoofAttackError, "IP spoofing attack?!" \ -- cgit v1.2.3