From 70bd6a3f6c2bbd29c894eec417ed8a43e5562335 Mon Sep 17 00:00:00 2001 From: Felipe Talavera Date: Sun, 9 Aug 2009 17:14:42 +0200 Subject: [PATCH] HTTP_X_FORWARDED_FOR ignored if REMOTE_ADDR is "trusted" --- .../lib/action_controller/metal/compatibility.rb | 3 ++ actionpack/lib/action_dispatch/http/request.rb | 4 +- actionpack/test/dispatch/request_test.rb | 25 ++++++++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_controller/metal/compatibility.rb b/actionpack/lib/action_controller/metal/compatibility.rb index 23e7b1b..abb6d32 100644 --- a/actionpack/lib/action_controller/metal/compatibility.rb +++ b/actionpack/lib/action_controller/metal/compatibility.rb @@ -64,6 +64,9 @@ module ActionController cattr_accessor :ip_spoofing_check self.ip_spoofing_check = true + + cattr_accessor :local_trusted_proxies + self.local_trusted_proxies = nil end # For old tests diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 5f9463e..32d3d7e 100755 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -246,7 +246,7 @@ module ActionDispatch remote_addr_list = @env['REMOTE_ADDR'] && @env['REMOTE_ADDR'].scan(/[^,\s]+/) unless remote_addr_list.blank? - not_trusted_addrs = remote_addr_list.reject {|addr| addr =~ TRUSTED_PROXIES} + not_trusted_addrs = remote_addr_list.reject {|addr| addr =~ TRUSTED_PROXIES || addr =~ ActionController::Base.local_trusted_proxies} return not_trusted_addrs.first unless not_trusted_addrs.empty? end remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',') @@ -265,7 +265,7 @@ EOM end if remote_ips - while remote_ips.size > 1 && TRUSTED_PROXIES =~ remote_ips.last.strip + while remote_ips.size > 1 && (TRUSTED_PROXIES =~ remote_ips.last.strip || ActionController::Base.local_trusted_proxies =~ remote_ips.last.strip) remote_ips.pop end diff --git a/actionpack/test/dispatch/request_test.rb b/actionpack/test/dispatch/request_test.rb index 8ebf9aa..635219d 100644 --- a/actionpack/test/dispatch/request_test.rb +++ b/actionpack/test/dispatch/request_test.rb @@ -70,6 +70,31 @@ class RequestTest < ActiveSupport::TestCase request = stub_request 'HTTP_X_FORWARDED_FOR' => '8.8.8.8, 9.9.9.9' assert_equal '9.9.9.9', request.remote_ip + + ActionController::Base.local_trusted_proxies = /^67\.205\.106\.73$/i + request = stub_request 'REMOTE_ADDR' => '67.205.106.73', + 'HTTP_X_FORWARDED_FOR' => '3.4.5.6' + assert_equal '3.4.5.6', request.remote_ip + + request = stub_request 'REMOTE_ADDR' => '172.16.0.1,67.205.106.73', + 'HTTP_X_FORWARDED_FOR' => '3.4.5.6' + assert_equal '3.4.5.6', request.remote_ip + + request = stub_request 'REMOTE_ADDR' => '67.205.106.73,172.16.0.1', + 'HTTP_X_FORWARDED_FOR' => '3.4.5.6' + assert_equal '3.4.5.6', request.remote_ip + + request = stub_request 'REMOTE_ADDR' => '67.205.106.74,172.16.0.1', + 'HTTP_X_FORWARDED_FOR' => '3.4.5.6' + assert_equal '67.205.106.74', request.remote_ip + + request = stub_request 'HTTP_X_FORWARDED_FOR' => 'unknown,67.205.106.73' + assert_equal 'unknown', request.remote_ip + + request = stub_request 'HTTP_X_FORWARDED_FOR' => '9.9.9.9, 3.4.5.6, 10.0.0.1, 67.205.106.73' + assert_equal '3.4.5.6', request.remote_ip + + ActionController::Base.local_trusted_proxies = nil end test "domains" do -- 1.6.3.3