This project is archived and is in readonly mode.

#1200 ✓committed
sbwoodside

"IP spoofing attack" breaks with some proxies

Reported by sbwoodside | October 11th, 2008 @ 12:18 AM | in 2.x

The code that checks for "IP spoofing attack" breaks when accessing the application through the T-Mobile network in the USA. And possibly other mobile networks. T-Mobile sets different values into HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR.

See bug #322 which has a patch for a slightly different problem, and it doesn't resolve this T-Mobile issue.

Comments and changes to this ticket

  • James Healy

    James Healy October 28th, 2008 @ 04:18 AM

    I'm running into this issue as well, although not with a T-mobile device.

    One of the regular users of our site is on a university campus that appears to use a broken proxy so they get this 500 error everytime they access our site.

    In the interim I've just commented this out, but it'd be nice to make the check configurable or something.

  • Guillermo Álvarez

    Guillermo Álvarez October 28th, 2008 @ 12:04 PM

    • Tag set to actionpack, bug, remote_ip, spoofing

    I have the same problem.

    I think is a bug, since http://en.wikipedia.org/wiki/X-F... says that the first element of HTTP_X_FORWARDED_FOR must be the same of HTTP_CLIENT_IP

    The actual code is:

      if @env.include? 'HTTP_CLIENT_IP'
    if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
      # We don't know which came from the proxy, and which from the user
      raise ActionControllerError.new(<<EOM)

    IP spoofing attack?! HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect} HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect} EOM

        end

    return @env['HTTP_CLIENT_IP']
  end

    And i think it must be something like these

      if @env.include? 'HTTP_CLIENT_IP'
    if remote_ips && @env['HTTP_CLIENT_IP'].strip != remote_ips[0]

    ...

  • Guillermo Álvarez

    Guillermo Álvarez October 28th, 2008 @ 12:09 PM

    • Title changed from “"IP spoofing attack" breaks with some mobile phones” to “"IP spoofing attack" breaks with some proxies”

    I have the same problem.

    I think is a bug, since http://en.wikipedia.org/wiki/X-F... says that the first element of HTTP_X_FORWARDED_FOR must be the same of HTTP_CLIENT_IP

    The actual code is:

      if @env.include? 'HTTP_CLIENT_IP'
    if remote_ips && !remote_ips.include?(@env['HTTP_CLIENT_IP'])
      # We don't know which came from the proxy, and which from the user
      raise ActionControllerError.new(<<EOM)

    IP spoofing attack?! HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect} HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect} EOM

        end

    return @env['HTTP_CLIENT_IP']
  end

    And i think it must be something like these

      if @env.include? 'HTTP_CLIENT_IP'
    if remote_ips && @env['HTTP_CLIENT_IP'].strip != remote_ips[0]

    ...

  • DHH

    DHH October 30th, 2008 @ 10:46 AM

    Please provide a full patch with tests. Thanks.

  • Darren

    Darren November 22nd, 2008 @ 06:20 PM

    • Tag changed from actionpack, bug, remote_ip, spoofing to actionpack, bug, patch, remote_ip, spoofing

    I think the issue with the IP Spoofing Check as it exists in the current code is that it assumes the client actually has an IP address. On Cell networks, this isn't the case. Expecting to get Cell companies to set non-standard headers properly is a leap of faith (IMHO).

    I have little issue with the keeping the spoofing check, as it seems reasonable for proxy administrators to configure their proxies in a reasonable matter. However, there are real issues when this check causes a lot of false positives.

    I have no real numbers from our own site, but I believe we see the majority of our requests from mobile devices fail this check, when it's left in place. In this case, being able to simply turn this check off would be useful (and we have simply commented out the check for the last couple releases of Rails).

    I've attached a patch, which I think is a reasonable change to allow people who want to avoid this check to turn it off. This is my first patch, and I apologize if I failed protocol. I am expecting at least some feedback (I'm not sure if I put the configurable property in the right place, and there should be more docs).

  • Repository

    Repository December 1st, 2008 @ 07:41 PM

    • State changed from “new” to “committed”

    (from [0a4a5f3129a137fc357e8444a08b135f0ad4fbe8]) Making the IP Spoofing check in AbstractRequest#remote_ip configurable.

    Certain groups of web proxies do not set these values properly. Notably, proxies for cell phones, which often do not set the remote IP information correctly (not surprisingly, since the clients do not have an IP address).

    Allowing this to be configurable makes it possible for developers to choose to ignore this simple spoofing check, when a significant amount of their traffic would result in false positives anyway.

    Signed-off-by: Michael Koziarski michael@koziarski.com

    [#1200 state:committed] http://github.com/rails/rails/co...

  • sbwoodside

    sbwoodside December 1st, 2008 @ 09:21 PM

    Yay thanks.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Tags

Referenced by

Pages