Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Actionpack 3.2.1 regression: client can fake request.remote_ip #4962

Closed
andreas-s opened this Issue Feb 9, 2012 · 2 comments

Comments

Projects
None yet
3 participants

A client that accesses a Rails app without a proxy that overwrites headers can make request.remote_ip return arbitrary strings (!) by setting the header X-Forwarded-For. This is a regression from 3.1.

Source of the problem: remote_ip always gives the headers preference over the actual connection IP (REMOTE_ADDR).

https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/remote_ip.rb:

      def calculate_ip
        client_ip     = @env['HTTP_CLIENT_IP']
        forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
        remote_addrs  = ips_from('REMOTE_ADDR')

       ### irrelevant code snipped ###

        not_proxy = client_ip || forwarded_ips.first || remote_addrs.first

        # Return first REMOTE_ADDR if there are no other options
        not_proxy || ips_from('REMOTE_ADDR', :allow_proxies).first
      end

rand99 commented Apr 13, 2012

http://www.securityfocus.com/bid/46423/info

i see they havnt changed it yet :-)

probably because this only works from the intranet, but also on apache etc.

Member

steveklabnik commented Jun 16, 2012

This seems to be fixed in master and 3-2-stable:

# We don't know which came from the proxy, and which from the user

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment