Merge branch '3-2-stable' into 3-2-sec

* 3-2-stable:
  make sure both headers are set before checking for ip spoofing
  Move set_inverse_instance to association.build_record

actionpack/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## unreleased ##
 
+*   Fix `ActionDispatch::RemoteIp::GetIp#calculate_ip` to only check for spoofing
+    attacks if both `HTTP_CLIENT_IP` and `HTTP_X_FORWARDED_FOR` are set.
+
+    Fixes #12410
+    Backports #10844
+
+    *Tamir Duberstein*
+
 *   Fix the assert_recognizes test method so that it works when there are
     constraints on the querystring.
 

actionpack/lib/action_dispatch/middleware/remote_ip.rb

@@ -49,7 +49,7 @@ module ActionDispatch
         forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
         remote_addrs  = ips_from('REMOTE_ADDR')
 
-        check_ip = client_ip && @middleware.check_ip
+        check_ip = client_ip && forwarded_ips.present? && @middleware.check_ip
         if check_ip && !forwarded_ips.include?(client_ip)
           # We don't know which came from the proxy, and which from the user
           raise IpSpoofAttackError, "IP spoofing attack?!" \

activerecord/CHANGELOG.md

@@ -1,4 +1,10 @@
 ## unreleased ##
+*   Move .set_inverse_instance call to association.build_record method. Everytime a new record is build
+    using the association, we need to try to set the inverse_of relation.
+
+    Fixes #10371.
+
+    *arthurnn*
 
 *   When calling the method .find_or_initialize_by_* from a collection_proxy
     it should set the inverse_of relation even when the entry was found on the db.

activerecord/lib/active_record/associations/association.rb

@@ -240,6 +240,7 @@ module ActiveRecord
             skip_assign = [reflection.foreign_key, reflection.type].compact
             attributes = create_scope.except(*(record.changed - skip_assign))
             record.assign_attributes(attributes, :without_protection => true)
+            set_inverse_instance(record)
           end
         end
     end

activerecord/lib/active_record/associations/collection_association.rb

@@ -350,7 +350,6 @@ module ActiveRecord
         end
 
         callback(:after_add, record)
-        set_inverse_instance(record)
 
         record
       end

activerecord/test/cases/associations/inverse_associations_test.rb

@@ -125,8 +125,10 @@ class InverseHasOneTests < ActiveRecord::TestCase
   end
 
   def test_parent_instance_should_be_shared_with_newly_created_child
-    m = Man.find(:first)
+    m = Man.create
     f = m.create_face(:description => 'haunted')
+
+    assert_equal m.object_id, f.man.object_id
     assert_not_nil f.man
     assert_equal m.name, f.man.name, "Name of man should be the same before changes to parent instance"
     m.name = 'Bongo'

railties/test/application/middleware/remote_ip_test.rb

@@ -46,6 +46,16 @@ module ApplicationTests
       end
     end
 
+    test "works with both headers individually" do
+      make_basic_app
+      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+        assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1")
+      end
+      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
+        assert_equal "1.1.1.2", remote_ip("HTTP_CLIENT_IP" => "1.1.1.2")
+      end
+    end
+
     test "can disable IP spoofing check" do
       make_basic_app do |app|
         app.config.action_dispatch.ip_spoofing_check = false