Fix Remote address spoofing vulnerability in Connection#remote_addres…

…s [Alexey Borzenkov]
raggi · Aug 12, 2009 · 7bd0279 · 7bd0279
1 parent dacb5df
commit 7bd0279
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 10 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,4 +1,5 @@
 == 1.2.3
+ * Fix Remote address spoofing vulnerability in Connection#remote_address [Alexey Borzenkov]
  * Fix uninitialized constant ActionController::Dispatcher error with Rails 1.2.3 [Chris Anderton] [#103 state:resolved]
 
 == 1.2.2 I Find Your Lack of Sauce Disturbing release

diff --git a/lib/thin/connection.rb b/lib/thin/connection.rb
@@ -180,7 +180,7 @@ def threaded?
 
     # IP Address of the remote client.
     def remote_address
-      @request.forwarded_for || socket_address
+      socket_address
     rescue Exception
       log_error
       nil

diff --git a/lib/thin/request.rb b/lib/thin/request.rb
@@ -21,7 +21,6 @@ class Request
     HTTP_VERSION      = 'HTTP_VERSION'.freeze
     HTTP_1_0          = 'HTTP/1.0'.freeze
     REMOTE_ADDR       = 'REMOTE_ADDR'.freeze
-    FORWARDED_FOR     = 'HTTP_X_FORWARDED_FOR'.freeze
     CONTENT_LENGTH    = 'CONTENT_LENGTH'.freeze
     CONNECTION        = 'HTTP_CONNECTION'.freeze
     KEEP_ALIVE_REGEXP = /\bkeep-alive\b/i.freeze
@@ -123,10 +122,6 @@ def remote_address=(address)
       @env[REMOTE_ADDR] = address
     end
 
-    def forwarded_for
-      @env[FORWARDED_FOR]
-    end
-
     def threaded=(value)
       @env[RACK_MULTITHREAD] = value
     end

diff --git a/lib/thin/version.rb b/lib/thin/version.rb
@@ -6,11 +6,11 @@ class PlatformNotSupported < RuntimeError; end
   module VERSION #:nodoc:
     MAJOR    = 1
     MINOR    = 2
-    TINY     = 2
+    TINY     = 3
 
     STRING   = [MAJOR, MINOR, TINY].join('.')
 
-    CODENAME = "I Find Your Lack of Sauce Disturbing".freeze
+    CODENAME = "Astroboy".freeze
 
     RACK     = [1, 0].freeze # Rack protocol version
   end

diff --git a/spec/connection_spec.rb b/spec/connection_spec.rb
@@ -40,9 +40,10 @@
     @connection.process
   end
 
-  it "should return HTTP_X_FORWARDED_FOR as remote_address" do
+  it "should not return HTTP_X_FORWARDED_FOR as remote_address" do
     @connection.request.env['HTTP_X_FORWARDED_FOR'] = '1.2.3.4'
-    @connection.remote_address.should == '1.2.3.4'
+    @connection.stub!(:socket_address).and_return("127.0.0.1")
+    @connection.remote_address.should == "127.0.0.1"
   end
 
   it "should return nil on error retreiving remote_address" do