lib/action_dispatch/middleware/remote_ip.rb in actionpack-3.2.14 vs lib/action_dispatch/middleware/remote_ip.rb in actionpack-3.2.15.rc1
- old
+ new
@@ -47,10 +47,10 @@
def calculate_ip
client_ip = @env['HTTP_CLIENT_IP']
forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
remote_addrs = ips_from('REMOTE_ADDR')
- check_ip = client_ip && @middleware.check_ip
+ check_ip = client_ip && forwarded_ips.present? && @middleware.check_ip
if check_ip && !forwarded_ips.include?(client_ip)
# We don't know which came from the proxy, and which from the user
raise IpSpoofAttackError, "IP spoofing attack?!" \
"HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}" \
"HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"