This project is archived and is in readonly mode.

#6687 new

X-Forwarded-For ignored when "trusted"

Reported by jaswope | April 8th, 2011 @ 03:28 PM

ActionDispatch:RemoteIp ignores X-Forwarded-For if all of the IPs it contains are considered trusted proxies. This list includes localhost and all private addresses.

This impacts applications that are hosted behind a reverse proxy (proxying to localhost) and accessed from a private IP, such as intranet applications. Aside from making the remote ip detection incorrect, this causes problems with ActionDispatch::Request.local?, causing it to incorrectly return true, which in turn causes default configurations of Rails apps to show stack traces when they shouldn't.

The offending line appears to be here:

Perhaps it should fall back to the last ip in the forwarded for chain instead:

return forwarded_ips.reject { |ip| ip =~ @trusted_proxies }.last || forwarded_ips.last

No comments found

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket