From 9a9caf646d020e33ccdeac0f9b114acec019b599 Mon Sep 17 00:00:00 2001 From: Carl Lerche Date: Wed, 3 Mar 2010 11:01:49 -0800 Subject: Add a BlockUntrustedIps middleware --- actionpack/lib/action_dispatch.rb | 1 + .../middleware/block_untrusted_ips.rb | 25 ++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb index 479ea959e6..1abb283b11 100644 --- a/actionpack/lib/action_dispatch.rb +++ b/actionpack/lib/action_dispatch.rb @@ -42,6 +42,7 @@ module ActionDispatch end autoload_under 'middleware' do + autoload :BlockUntrustedIps autoload :Callbacks autoload :Cascade autoload :Cookies diff --git a/actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb b/actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb new file mode 100644 index 0000000000..8aed0c45a6 --- /dev/null +++ b/actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb @@ -0,0 +1,25 @@ +module ActionDispatch + class BlockUntrustedIps + class SpoofAttackError < StandardError ; end + + def initialize(app) + @app = app + end + + def call(env) + if @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_CLIENT_IP'] + remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',') + + unless remote_ips.include?(@env['HTTP_CLIENT_IP']) + http_client_ip = @env['HTTP_CLIENT_IP'].inspect + http_forwarded_for = @env['HTTP_X_FORWARDED_FOR'].inspect + + raise SpoofAttackError, "IP spoofing attack?!\n " \ + "HTTP_CLIENT_IP=#{http_client_ip}\n HTTP_X_FORWARDED_FOR=http_forwarded_for" + end + end + + @app.call(env) + end + end +end \ No newline at end of file -- cgit v1.2.3