From 8d3b3044fb4a606b76a03abbb71064bcb4875704 Mon Sep 17 00:00:00 2001 From: Gareth Rees Date: Mon, 14 Apr 2014 10:03:10 +0100 Subject: Rescue from IpSpoofAttackError when using remote IP Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1. Rails checks that Client-IP is contained in X-Forwarded-For and raises the error. We decided to rescue in this individual case rather than adding a middleware to strip Client-IP (http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off) so that we don't introduce unexpected behaviour. If we start to do anything more with request.remote_ip, then we should look at doing so. See http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection for an in-depth look at this issue. --- spec/integration/ip_spoofing_spec.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 spec/integration/ip_spoofing_spec.rb (limited to 'spec/integration/ip_spoofing_spec.rb') diff --git a/spec/integration/ip_spoofing_spec.rb b/spec/integration/ip_spoofing_spec.rb new file mode 100644 index 000000000..073f71ad6 --- /dev/null +++ b/spec/integration/ip_spoofing_spec.rb @@ -0,0 +1,11 @@ +require File.expand_path(File.dirname(__FILE__) + '/../spec_helper') + +describe 'when getting a country message' do + + it 'should not raise an IP spoofing error when given mismatched headers' do + get '/country_message', nil, { 'HTTP_X_FORWARDED_FOR' => '1.2.3.4', + 'HTTP_CLIENT_IP' => '5.5.5.5' } + response.status.should == 200 + end + +end -- cgit v1.2.3