From db5831dc30a702186e0b62e1e44f994cb4dd8061 Mon Sep 17 00:00:00 2001
From: Darren Boyd <dboyd@tapiocamobile.com>
Date: Sat, 22 Nov 2008 10:04:30 -0800
Subject: [PATCH] Making the IP Spoofing check in AbstractRequest#remote_ip configurable.

Certain groups of web proxies do not set these values properly.  Notably,
proxies for cell phones, which often do not set the remote IP information
correctly (not surprisingly, since the clients do not have an IP address).

Allowing this to be configurable makes it possible for developers to choose
to ignore this simple spoofing check, when a significant amount of their
traffic would result in false positives anyway.
---
 actionpack/lib/action_controller/base.rb    |    4 ++++
 actionpack/lib/action_controller/request.rb |    2 +-
 actionpack/test/controller/request_test.rb  |    9 +++++++++
 3 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index ad65620..1f32bc6 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -336,6 +336,10 @@ module ActionController #:nodoc:
     # sets it to <tt>:authenticity_token</tt> by default.
     cattr_accessor :request_forgery_protection_token
 
+    # Controls the IP Spoofing check when determining the remote IP.
+    @@ip_spoofing_check = true
+    cattr_accessor :ip_spoofing_check
+
     # Indicates whether or not optimise the generated named
     # route helper methods
     cattr_accessor :optimise_named_routes
diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index c079895..0a17df3 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -218,7 +218,7 @@ module ActionController
       remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
 
       if @env.include? 'HTTP_CLIENT_IP'
-        if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
+        if ActionController::Base.ip_spoofing_check && remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
           # We don't know which came from the proxy, and which from the user
           raise ActionControllerError.new(<<EOM)
 IP spoofing attack?!
diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb
index 7e26428..95a4825 100644
--- a/actionpack/test/controller/request_test.rb
+++ b/actionpack/test/controller/request_test.rb
@@ -67,6 +67,15 @@ class RequestTest < ActiveSupport::TestCase
     assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message
     assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message
 
+    # turn IP Spoofing detection off.
+    # This is useful for sites that are aimed at non-IP clients.  The typical
+    # example is WAP.  Since the cellular network is not IP based, it's a
+    # leap of faith to assume that their proxies are ever going to set the
+    # HTTP_CLIENT_IP/HTTP_X_FORWARDED_FOR headers properly.
+    ActionController::Base.ip_spoofing_check = false
+    assert_equal('8.8.8.8', @request.remote_ip(true))
+    ActionController::Base.ip_spoofing_check = true
+
     @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9'
     assert_equal '8.8.8.8', @request.remote_ip(true)
 
-- 
1.6.0.2