blob: 8aed0c45a6623fa7b487261ada1e7cf41d7b6219 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
module ActionDispatch
class BlockUntrustedIps
class SpoofAttackError < StandardError ; end
def initialize(app)
@app = app
end
def call(env)
if @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_CLIENT_IP']
remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',')
unless remote_ips.include?(@env['HTTP_CLIENT_IP'])
http_client_ip = @env['HTTP_CLIENT_IP'].inspect
http_forwarded_for = @env['HTTP_X_FORWARDED_FOR'].inspect
raise SpoofAttackError, "IP spoofing attack?!\n " \
"HTTP_CLIENT_IP=#{http_client_ip}\n HTTP_X_FORWARDED_FOR=http_forwarded_for"
end
end
@app.call(env)
end
end
end
|