Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

make sure both headers are set before checking for ip spoofing

(cherry picked from commit ccd6f8b)

Signed-off-by: Andrew White <andyw@pixeltrix.co.uk>
  • Loading branch information...
commit fbf5ece95f1860d61a961c1c53300c9d42909c16 1 parent 6a67407
Tamir Duberstein authored pixeltrix committed
View
7 actionpack/CHANGELOG.md
@@ -1,5 +1,12 @@
## unreleased ##
+* Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
+ attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+
+ Fixes #10844
+
+ *Tamir Duberstein*
+
* Strong parameters should permit nested number as key.
Fixes #12293
View
2  actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -143,7 +143,7 @@ def calculate_ip
# proxies with incompatible IP header conventions, and there is no way
# for us to determine which header is the right one after the fact.
# Since we have no idea, we give up and explode.
- should_check_ip = @check_ip && client_ips.last
+ should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
if should_check_ip && !forwarded_ips.include?(client_ips.last)
# We don't know which came from the proxy, and which from the user
raise IpSpoofAttackError, "IP spoofing attack?! " +
View
10 railties/test/application/middleware/remote_ip_test.rb
@@ -33,6 +33,16 @@ def remote_ip(env = {})
end
end
+ test "works with both headers individually" do
+ make_basic_app
+ assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+ assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1")
+ end
+ assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+ assert_equal "1.1.1.2", remote_ip("HTTP_CLIENT_IP" => "1.1.1.2")
+ end
+ end
+
test "can disable IP spoofing check" do
make_basic_app do |app|
app.config.action_dispatch.ip_spoofing_check = false
Please sign in to comment.
Something went wrong with that request. Please try again.