This project is archived and is in readonly mode.
X-Forwarded-For ignored when "trusted"
Reported by jaswope | April 8th, 2011 @ 03:28 PM
ActionDispatch:RemoteIp ignores X-Forwarded-For if all of the IPs it contains are considered trusted proxies. This list includes localhost and all private addresses.
This impacts applications that are hosted behind a reverse proxy (proxying to localhost) and accessed from a private IP, such as intranet applications. Aside from making the remote ip detection incorrect, this causes problems with ActionDispatch::Request.local?, causing it to incorrectly return true, which in turn causes default configurations of Rails apps to show stack traces when they shouldn't.
The offending line appears to be here: https://github.com/rails/rails/blob/master/actionpack/lib/action_di...
Perhaps it should fall back to the last ip in the forwarded for
chain instead:
return forwarded_ips.reject { |ip| ip =~ @trusted_proxies }.last || forwarded_ips.last
No comments found
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
jaswope