This project is archived and is in readonly mode.
LOCALHOST: 127.x.x.x is Class A, not Class C
Reported by Kurt Stephens | February 15th, 2011 @ 09:10 PM
actionpack-3.0.3/lib/action_dispatch/http/request.rb:
LOCALHOST = [/^127\.0\.0\.\d{1,3}$/, "::1", /^0:0:0:0:0:0:0:1(%.*)?$/].freeze
All IPv4 127.x.x.x addresses are loopback/localhost addresses. 127.0.0.0 is a Class A /8 network.
This code should be:
LOCALHOST = [/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, "::1", /^0:0:0:0:0:0:0:1(%.*)?$/].freeze
Not sure if this issue exists elsewhere in Rails 3.
Citations:
http://www.faqs.org/rfcs/rfc1700.html: "Special Addresses"
(g) {127, <any>}
Internal host loopback address. Should never appear outside
a host.
http://www.faqs.org/rfcs/rfc3330.html
127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
This is ordinarily implemented using only 127.0.0.1/32 for loopback,
but no addresses within this block should ever appear on any network
anywhere [RFC1700, page 5].
ifconfig lo:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
Comments and changes to this ticket
-
Kurt Stephens February 15th, 2011 @ 09:47 PM
A naive search yields other potential errors/problems:
actionpack-3.0.3/lib/action_dispatch/http/request.rb:170: TRUSTED_PROXIES = /^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\./i actionpack-3.0.3/lib/action_dispatch/middleware/remote_ip.rb:41: regex = '(^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.)' -
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Kurt Stephens