public
Description: Ruby on Rails
Homepage: http://rubyonrails.org
Clone URL: git://github.com/rails/rails.git
Making the IP Spoofing check in AbstractRequest#remote_ip configurable.

Certain groups of web proxies do not set these values properly.  Notably,
proxies for cell phones, which often do not set the remote IP information
correctly (not surprisingly, since the clients do not have an IP address).

Allowing this to be configurable makes it possible for developers to choose
to ignore this simple spoofing check, when a significant amount of their
traffic would result in false positives anyway.

Signed-off-by: Michael Koziarski <michael@koziarski.com>

[#1200 state:committed]
darrenboyd (author)
Sat Nov 22 10:04:30 -0800 2008
NZKoz (committer)
Mon Dec 01 11:40:18 -0800 2008
commit  0a4a5f3129a137fc357e8444a08b135f0ad4fbe8
tree    876fdcd3bc5b8a92431dd82f74b20ace72c1c488
parent  97403ad5fdfcdfb2110c6f8fd0ebf43b7afc4859
...
1
2
 
 
3
4
5
...
1
2
3
4
5
6
7
0
@@ -1,5 +1,7 @@
0
 *2.3.0 [Edge]*
0
 
0
+* Allow users to opt out of the spoofing checks in Request#remote_ip.  Useful for sites whose traffic regularly triggers false positives. [Darren Boyd]
0
+
0
 * Deprecated formatted_polymorphic_url.  [Jeremy Kemper]
0
 
0
 * Added the option to declare an asset_host as an object that responds to call (see http://github.com/dhh/asset-hosting-with-minimum-ssl for an example) [DHH]
...
327
328
329
 
 
 
 
330
331
332
...
327
328
329
330
331
332
333
334
335
336
0
@@ -327,6 +327,10 @@ module ActionController #:nodoc:
0
     # sets it to <tt>:authenticity_token</tt> by default.
0
     cattr_accessor :request_forgery_protection_token
0
 
0
+    # Controls the IP Spoofing check when determining the remote IP.
0
+    @@ip_spoofing_check = true
0
+    cattr_accessor :ip_spoofing_check
0
+
0
     # Indicates whether or not optimise the generated named
0
     # route helper methods
0
     cattr_accessor :optimise_named_routes
...
218
219
220
221
 
222
223
224
...
218
219
220
 
221
222
223
224
0
@@ -218,7 +218,7 @@ module ActionController
0
       remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
0
 
0
       if @env.include? 'HTTP_CLIENT_IP'
0
-        if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
0
+        if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
0
           # We don't know which came from the proxy, and which from the user
0
           raise ActionControllerError.new(<<EOM)
0
 IP spoofing attack?!
...
66
67
68
 
 
 
 
 
 
 
 
 
69
70
71
...
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
0
@@ -66,6 +66,15 @@ class RequestTest < ActiveSupport::TestCase
0
     assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message
0
     assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message
0
 
0
+    # turn IP Spoofing detection off.
0
+    # This is useful for sites that are aimed at non-IP clients.  The typical
0
+    # example is WAP.  Since the cellular network is not IP based, it's a
0
+    # leap of faith to assume that their proxies are ever going to set the
0
+    # HTTP_CLIENT_IP/HTTP_X_FORWARDED_FOR headers properly.
0
+    ActionController::Base.ip_spoofing_check = false
0
+    assert_equal('8.8.8.8', @request.remote_ip(true))
0
+    ActionController::Base.ip_spoofing_check = true
0
+
0
     @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9'
0
     assert_equal '8.8.8.8', @request.remote_ip(true)
0
 

Comments

yob Mon Dec 01 16:01:55 -0800 2008

fantastic..