Merge pull request #12410 from tamird/fix-ip-spoof-errors

Fix ip spoof errors
2026-01-10 07:07:54 -05:00 · 2013-10-01 01:28:07 -07:00
parent ccd11d5891 85106decc4
commit 83c4b0a7f9
3 changed files with 19 additions and 1 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## unreleased ##

+*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
+    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+
+    Fixes #12410
+    Backports #10844
+
+    *Tamir Duberstein*
+
 *   Fix the assert_recognizes test method so that it works when there are
    constraints on the querystring.

--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -49,7 +49,7 @@ module ActionDispatch
        forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
        remote_addrs  = ips_from('REMOTE_ADDR')

-        check_ip = client_ip && @middleware.check_ip
+        check_ip = client_ip && forwarded_ips.present? && @middleware.check_ip
        if check_ip && !forwarded_ips.include?(client_ip)
          # We don't know which came from the proxy, and which from the user
          raise IpSpoofAttackError, "IP spoofing attack?!" \
--- a/railties/test/application/middleware/remote_ip_test.rb
+++ b/railties/test/application/middleware/remote_ip_test.rb
@@ -46,6 +46,16 @@ module ApplicationTests
      end
    end

+    test "works with both headers individually" do
+      make_basic_app
+      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+        assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1")
+      end
+      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+        assert_equal "1.1.1.2", remote_ip("HTTP_CLIENT_IP" => "1.1.1.2")
+      end
+    end
+
    test "can disable IP spoofing check" do
      make_basic_app do |app|
        app.config.action_dispatch.ip_spoofing_check = false