You can clone with
Resquest#trusted_proxy? is easily fooled, since it uses ^ and $.
Maybe it's time to use Mutation testing against rack?
Hello @postmodern. Sorry by the ignorance, but what's the problem with the ^ and $ operators in that regex? Could you provide an example?
# => 8
^ and $ will match any line within a String. To match the full String, you'd want \A and \z.
Agreed, is this a vector you can use from an HTTP request though?
Could possibly be used to spoof the IP Address in Request#ip.
Yes, I meant, I don't think you can do an HTTP request where that header contains a new line. This is important as it makes all the difference between not 100% correct code and a security issue.
Well if it's a security issue, @postmodern damn well knows better than to post it here right?
Request#trusted_proxy? no longer accepts lines
* Closes #508
* Adds some limited coverage. More issues highlighted - incomplete local ips.
This issue is closed, but this method is sorely incomplete. It's missing a lot of local addresses and so on.
I haven't found an actual use yet. However, it's better to fix potential vulnerabilities before they become exploitable.