Actionpack 3.2.1 regression: client can fake request.remote_ip

[andreas-s]

A client that accesses a Rails app without a proxy that overwrites headers can make request.remote_ip return arbitrary strings (!) by setting the header X-Forwarded-For. This is a regression from 3.1.

Source of the problem: remote_ip always gives the headers preference over the actual connection IP (REMOTE_ADDR).

https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/remote_ip.rb:

      def calculate_ip
        client_ip     = @env['HTTP_CLIENT_IP']
        forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
        remote_addrs  = ips_from('REMOTE_ADDR')

       ### irrelevant code snipped ###

        not_proxy = client_ip || forwarded_ips.first || remote_addrs.first

        # Return first REMOTE_ADDR if there are no other options
        not_proxy || ips_from('REMOTE_ADDR', :allow_proxies).first
      end

[dryaf]

http://www.securityfocus.com/bid/46423/info

i see they havnt changed it yet :-)

probably because this only works from the intranet, but also on apache etc.

[steveklabnik]

This seems to be fixed in master and 3-2-stable:

rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb

Line 87 in 6da2bc5

# We don't know which came from the proxy, and which from the user