How to use IpSpoofAttackError #13914

homakov opened this Issue Feb 1, 2014 · 8 comments


None yet

3 participants

homakov commented Feb 1, 2014

When I reflect

render text: request.remote_ip

it returns for following code:

x=new XMLHttpRequest;'get','/ip');

So I am not sure why we need raise IpSpoofAttackError, how exactly it's supposed to protect me? Probably I must use .ip instead of remote_ip if I don't have a proxy server?

homakov commented Feb 1, 2014

If we have a proxy server appending real IP to X-Forwarded-For, IpSpoofAttackError is not helpful.

If we don't have it, IpSpoofAttackError is not helpful too, becuase we can simply set our own X-Forwarded-For w/o Client-Ip.

Can someone please explain how is it helping?

pwnsdx commented Feb 1, 2014

Solution: Use PHP ;)

homakov commented Feb 1, 2014

joernchen: this doesn't work.

Since it doesn't work can someone remove that IP spoofing error? It only scares, doesn't mitigate.

pwnsdx commented Feb 1, 2014

#2490 (comment)

This don't work ? @env["REMOTE_ADDR"]

homakov commented Feb 1, 2014

@pwnsdx no, and I don't see how it can help in any situation. It's still easy to set X-F-For

zsombor commented Feb 4, 2014

I don't think IpSpoofAttackError protects against anything. From the code:

rails will raise the exception when encounters a request having both the Client-Ip and X-Forwarded-For headers set. Something that is more likely caused by an ill-behaving proxy.

Not that any protection is possible whilst headers can be set from JavaScript.

homakov commented Feb 4, 2014

Exactly. Why we need it then? Remote_ip has no benefits, lets use .ip instead.

@homakov homakov closed this Feb 14, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment