Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
1715f113
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
1715f113
编写于
11月 22, 2015
作者:
G
Grey Baker
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Clearer comment and variable name on IP spoofing
上级
0b9812bd
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
15 addition
and
7 deletion
+15
-7
actionpack/lib/action_dispatch/middleware/remote_ip.rb
actionpack/lib/action_dispatch/middleware/remote_ip.rb
+15
-7
未找到文件。
actionpack/lib/action_dispatch/middleware/remote_ip.rb
浏览文件 @
1715f113
...
...
@@ -43,7 +43,7 @@ class IpSpoofAttackError < StandardError; end
# Create a new +RemoteIp+ middleware instance.
#
# The +
check_ip_spoofing
+ option is on by default. When on, an exception
# The +
ip_spoofing_check
+ option is on by default. When on, an exception
# is raised if it looks like the client is trying to lie about its own IP
# address. It makes sense to turn off this check on sites aimed at non-IP
# clients (like WAP devices), or behind proxies that set headers in an
...
...
@@ -57,9 +57,9 @@ class IpSpoofAttackError < StandardError; end
# with your proxy servers after it. If your proxies aren't removed, pass
# them in via the +custom_proxies+ parameter. That way, the middleware will
# ignore those IP addresses, and return the one that you want.
def
initialize
(
app
,
check_ip_spoofing
=
true
,
custom_proxies
=
nil
)
def
initialize
(
app
,
ip_spoofing_check
=
true
,
custom_proxies
=
nil
)
@app
=
app
@check_ip
=
check_ip_spoofing
@check_ip
=
ip_spoofing_check
@proxies
=
if
custom_proxies
.
blank?
TRUSTED_PROXIES
elsif
custom_proxies
.
respond_to?
(
:any?
)
...
...
@@ -116,10 +116,18 @@ def calculate_ip
forwarded_ips
=
ips_from
(
@req
.
x_forwarded_for
).
reverse
# +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
# If they are both set, it means that this request passed through two
# proxies with incompatible IP header conventions, and there is no way
# for us to determine which header is the right one after the fact.
# Since we have no idea, we give up and explode.
# If they are both set, it means that either:
#
# 1) This request passed through two proxies with incompatible IP header
# conventions.
# 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+
# (whichever the proxy servers weren't using) themselves.
#
# Either way, there is no way for us to determine which header is the
# right one after the fact. Since we have no idea, if we are concerned
# about IP spoofing we need to give up and explode. (If you're not
# concerned about IP spoofing you can turn the +ip_spoofing_check+
# option off.)
should_check_ip
=
@check_ip
&&
client_ips
.
last
&&
forwarded_ips
.
last
if
should_check_ip
&&
!
forwarded_ips
.
include?
(
client_ips
.
last
)
# We don't know which came from the proxy, and which from the user
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录