Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

How to use IpSpoofAttackError #13914

Closed
homakov opened this Issue · 8 comments

3 participants

@homakov

When I reflect

render text: request.remote_ip

it returns 123.123.123.123 for following code:

ip="123.123.123.123"
x=new XMLHttpRequest; 
x.open('get','/ip');
x.setRequestHeader('X-Forwarded-for',ip);
x.send()

So I am not sure why we need raise IpSpoofAttackError, how exactly it's supposed to protect me? Probably I must use .ip instead of remote_ip if I don't have a proxy server?

@homakov

If we have a proxy server appending real IP to X-Forwarded-For, IpSpoofAttackError is not helpful.

If we don't have it, IpSpoofAttackError is not helpful too, becuase we can simply set our own X-Forwarded-For w/o Client-Ip.

Can someone please explain how is it helping?

@pwnsdx

Solution: Use PHP ;)

@homakov

joernchen: this doesn't work.

Since it doesn't work can someone remove that IP spoofing error? It only scares, doesn't mitigate.

@pwnsdx

#2490 (comment)

This don't work ? @env["REMOTE_ADDR"]

@homakov

@pwnsdx no, and I don't see how it can help in any situation. It's still easy to set X-F-For

@zsombor

I don't think IpSpoofAttackError protects against anything. From the code:

https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L149

rails will raise the exception when encounters a request having both the Client-Ip and X-Forwarded-For headers set. Something that is more likely caused by an ill-behaving proxy.

Not that any protection is possible whilst headers can be set from JavaScript.

@homakov

Exactly. Why we need it then? Remote_ip has no benefits, lets use .ip instead.

@homakov homakov closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.