Browse files

Added security notice to Request#remote_ip underlining the fact that …

…its value can be spoofed (and that you should use Request#remote_addr if thats a concern for your application) [Adrian Holovaty]

git-svn-id: 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
dhh committed Sep 17, 2007
1 parent 7cb26b5 commit 4e7dce7e40d490a55d95a7fc697483427f081b0e
Showing with 8 additions and 0 deletions.
  1. +8 −0 actionpack/lib/action_controller/request.rb
@@ -119,6 +119,14 @@ def xml_http_request?
# falling back to REMOTE_ADDR. HTTP_X_FORWARDED_FOR may be a comma-
# delimited list in the case of multiple chained proxies; the first is
# the originating IP.
+ #
+ # Security note: Be aware that since remote_ip will check regular HTTP headers,
+ # it can be tricked by anyone setting those manually. In other words, people can
+ # pose as whatever IP address they like to this method. That doesn't matter if
+ # all your doing is using IP addresses for statistical or geographical information,
+ # but if you want to, for example, limit access to an administrative area by IP,
+ # you should instead use Request#remote_addr, which can't be spoofed (but also won't
+ # survive proxy forwards).
def remote_ip
return @env['HTTP_CLIENT_IP'] if @env.include? 'HTTP_CLIENT_IP'

0 comments on commit 4e7dce7

Please sign in to comment.