Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #7386 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

[PATCH] ActionController::AbstractRequest#remote_ip doesn't handle HTTP_X_REQUESTED_WITH = 10.0.0.1, 10.0.0.1, 3.4.5.6 (for example)

Reported by: moses Assigned to: core
Priority: normal Milestone: 1.2.4
Component: ActionPack Version:
Severity: normal Keywords:
Cc:

Description

A customer of ours accesses our app from behind a proxy, and requests sent to our server happen to have the HTTP header HTTP_X_REQUESTED_WITH set to a redundant comma-delimited list like the following: 10.0.0.1, 10.0.0.1, 3.4.5.6, where 3.4.5.6 is the WAN address and 10.0.0.1 is the LAN address. Note the spaces between the comma and the number. It just so happens that this string isn't handled correctly by AbstractRequest#remote_ip, because of the spaces. I've attached a patch that strips the ip string before comparing it to the regular expression used to reject LAN addresses, and adds another case to the remote_ip unit test.

Attachments

request_remote_ip_patch.diff (1.2 kB) - added by moses on 01/26/07 00:09:08.
patch fixing remote_ip and adding a unit test for this case

Change History

01/26/07 00:09:08 changed by moses

  • attachment request_remote_ip_patch.diff added.

patch fixing remote_ip and adding a unit test for this case

05/27/07 23:45:21 changed by moses

Note, I meant HTTP_X_FORWARDED_FOR, not HTTP_X_REQUESTED_WITH. I realize this is a minor bug that won't affect most people, but it is a clearly a problem with the code, please consider applying the patch.

05/28/07 00:10:17 changed by bitsweat

  • status changed from new to closed.
  • resolution set to fixed.

(In [6877]) request.remote_ip understands X-Forwarded-For addresses with nonstandard whitespace. Closes #7386.