Rails Ruby on Rails → 3.0.6

Comments and changes to this ticket

• 

  Michael Koziarski February 16th, 2011 @ 10:22 PM

  • Milestone set to “3.0.5”
  • Importance changed from “” to “Low”

  The attack vectors they're talking about there assume no one does any sanitization. SQL Injection, shell script exploits etc only apply if people don't check those inputs.

  There's certainly a bug here, but it's not a security bug.

• 

  Michael Koziarski February 16th, 2011 @ 10:29 PM

  • Title changed from “rails security bug - request.remote_ip/X-Forwarded-For not sanitized” to “request.remote_ip/X-Forwarded-For may not be an IP”
• 

  Santiago Pastorino February 27th, 2011 @ 03:15 AM

  • Milestone changed from “3.0.5” to “3.0.6”

  [bulk edit]

• You flagged this item as spam.
  

  Christopher Meiklejohn March 3rd, 2011 @ 04:23 AM

  Is the issue here just that the input isn't validated as an actual IP address?

• You flagged this item as spam.
  

  alindeman March 26th, 2011 @ 03:19 PM

  I'd be happy to help fix this, but there are a existing few tests that make me wonder what the expected behavior is:

  request = stub_request 'HTTP_X_FORWARDED_FOR' => 'unknown,192.168.0.1'
  assert_equal 'unknown', request.remote_ip
  

  As the tests are written, it seems like returning a string (non-IP) was thought about. What's the expected behavior here then?