2 files changed, 7 insertions, 3 deletions

diff --git a/vendor/rails-2.1.0/actionpack/lib/action_controller/request.rb b/vendor/rails-2.1.0/actionpack/lib/action_controller/request.rb
index a35b90419..f275ec11b 100755
--- a/vendor/rails-2.1.0/actionpack/lib/action_controller/request.rb
+++ b/vendor/rails-2.1.0/actionpack/lib/action_controller/request.rb
@@ -140,8 +140,10 @@ module ActionController
         return @env['REMOTE_ADDR']
       end
 
+      remote_ips = @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_X_FORWARDED_FOR'].split(',')
+
       if @env.include? 'HTTP_CLIENT_IP'
-        if @env.include? 'HTTP_X_FORWARDED_FOR'
+        if remote_ips and !remote_ips.include?(@env['HTTP_CLIENT_IP'])
           # We don't know which came from the proxy, and which from the user
           raise ActionControllerError.new(<<EOM)
 IP spoofing attack?!
@@ -152,8 +154,7 @@ EOM
         return @env['HTTP_CLIENT_IP']
       end
 
-      if @env.include? 'HTTP_X_FORWARDED_FOR' then
-        remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',')
+      if remote_ips
         while remote_ips.size > 1 && TRUSTED_PROXIES =~ remote_ips.last.strip
           remote_ips.pop
         end
diff --git a/vendor/rails-2.1.0/actionpack/test/controller/request_test.rb b/vendor/rails-2.1.0/actionpack/test/controller/request_test.rb
index 82ddfec8e..2bd489b2c 100644
--- a/vendor/rails-2.1.0/actionpack/test/controller/request_test.rb
+++ b/vendor/rails-2.1.0/actionpack/test/controller/request_test.rb
@@ -59,6 +59,9 @@ class RequestTest < Test::Unit::TestCase
     assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message
     assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message
 
+    @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9'
+    assert_equal '8.8.8.8', @request.remote_ip
+
     @request.env.delete 'HTTP_CLIENT_IP'
     @request.env.delete 'HTTP_X_FORWARDED_FOR'
   end