Rescue from IpSpoofAttackError when using remote IP

Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1.
Rails checks that Client-IP is contained in X-Forwarded-For and raises
the error.

We decided to rescue in this individual case rather than adding a
middleware to strip Client-IP
(http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off)
so that we don't introduce unexpected behaviour. If we start to do anything
more with request.remote_ip, then we should look at doing so.

See
http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection
for an in-depth look at this issue.

1 files changed, 5 insertions, 1 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 410778d9a..b6547d1d0 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -432,7 +432,11 @@ class ApplicationController < ActionController::Base
     def country_from_ip
         country = ""
         if !AlaveteliConfiguration::gaze_url.empty?
-            country = quietly_try_to_open("#{AlaveteliConfiguration::gaze_url}/gaze-rest?f=get_country_from_ip;ip=#{request.remote_ip}")
+            begin
+                country = quietly_try_to_open("#{AlaveteliConfiguration::gaze_url}/gaze-rest?f=get_country_from_ip;ip=#{request.remote_ip}")
+            rescue ActionDispatch::RemoteIp::IpSpoofAttackError
+                country = AlaveteliConfiguration::iso_country_code
+            end
         end
         country = AlaveteliConfiguration::iso_country_code if country.empty?
         return country