Make Request#remote_ip return nil when HTTP_X_FORWARDED_FOR is empty

If HTTP_X_FORWARDED_FOR only contains whitespace, don't try to extract a list of IP addresses from it.
rails · Dec 27, 2011 · cd2136a · cd2136a
1 parent e0774e4
commit cd2136a
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
@@ -225,7 +225,7 @@ def remote_ip
         not_trusted_addrs = remote_addr_list.reject {|addr| addr =~ TRUSTED_PROXIES}
         return not_trusted_addrs.first unless not_trusted_addrs.empty?
       end
-      remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
+      remote_ips = @env['HTTP_X_FORWARDED_FOR'].present? && @env['HTTP_X_FORWARDED_FOR'].split(',')
 
       if @env.include? 'HTTP_CLIENT_IP'
         if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])

diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb
@@ -20,6 +20,9 @@ def test_remote_ip
       'HTTP_X_FORWARDED_FOR' => '3.4.5.6'
     assert_equal '1.2.3.4', request.remote_ip
 
+    request = stub_request 'HTTP_X_FORWARDED_FOR' => ''
+    assert_nil request.remote_ip
+
     request = stub_request 'REMOTE_ADDR' => '127.0.0.1',
       'HTTP_X_FORWARDED_FOR' => '3.4.5.6'
     assert_equal '3.4.5.6', request.remote_ip