This project is archived and is in readonly mode.

#6436 new
Kurt Stephens

LOCALHOST: 127.x.x.x is Class A, not Class C

Reported by Kurt Stephens | February 15th, 2011 @ 09:10 PM


    LOCALHOST = [/^127\.0\.0\.\d{1,3}$/, "::1", /^0:0:0:0:0:0:0:1(%.*)?$/].freeze

All IPv4 127.x.x.x addresses are loopback/localhost addresses. is a Class A /8 network.

This code should be:

    LOCALHOST = [/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, "::1", /^0:0:0:0:0:0:0:1(%.*)?$/].freeze

Not sure if this issue exists elsewhere in Rails 3.

Citations: "Special Addresses"

  (g)   {127, <any>}
     Internal host loopback address.  Should never appear outside
     a host. - This block is assigned for use as the Internet host
   loopback address.  A datagram sent by a higher level protocol to an
   address anywhere within this block should loop back inside the host.
   This is ordinarily implemented using only for loopback,
   but no addresses within this block should ever appear on any network
   anywhere [RFC1700, page 5].

ifconfig lo:

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host

Comments and changes to this ticket

  • Kurt Stephens

    Kurt Stephens February 15th, 2011 @ 09:47 PM

    A naive search yields other potential errors/problems:

    actionpack-3.0.3/lib/action_dispatch/http/request.rb:170:    TRUSTED_PROXIES = /^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\./i
    actionpack-3.0.3/lib/action_dispatch/middleware/remote_ip.rb:41:      regex = '(^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.)'
  • Kurt Stephens

    Kurt Stephens February 17th, 2011 @ 12:21 AM

    The IPv6 portion of the regexp may also be in error.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket