Revert "Don’t ignore X-Forwarded-For IPs with ports attached"

Depends on newer Rack API. This reverts commit fbf1d82e0d.
2022-11-09 12:12:34 -05:00 · 2020-05-12 08:07:17 -04:00 · 2020-05-12 08:07:17 -04:00 · 25bc1c0134
commit 25bc1c0134
parent 0dc3f5146d
3 changed files with 4 additions and 15 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -1,8 +1,3 @@
-*   `remote_ip` will no longer ignore IPs in X-Forwarded-For headers if they
-    are accompanied by port information.
-
-    *Duncan Brown*, *Prevenios Marinos*
-
 *   `fixture_file_upload` now uses path relative to `file_fixture_path`

    Previously the path had to be relative to `fixture_path`.
--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@ -111,11 +111,11 @@ module ActionDispatch
      # the last address left, which was presumably set by one of those proxies.
      def calculate_ip
        # Set by the Rack web server, this is a single value.
-        remote_addr = sanitize_ips(ips_from(@req.remote_addr)).last
+        remote_addr = ips_from(@req.remote_addr).last

        # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = sanitize_ips(ips_from(@req.client_ip)).reverse
-        forwarded_ips = sanitize_ips(@req.forwarded_for || []).reverse
+        client_ips    = ips_from(@req.client_ip).reverse
+        forwarded_ips = ips_from(@req.x_forwarded_for).reverse

        # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
        # If they are both set, it means that either:
@ -160,10 +160,7 @@ module ActionDispatch
      def ips_from(header) # :doc:
        return [] unless header
        # Split the comma-separated list into an array of strings.
-        header.strip.split(/[,\s]+/)
-      end
-
-      def sanitize_ips(ips) # :doc:
+        ips = header.strip.split(/[,\s]+/)
        ips.select do |ip|
          # Only return IPs that are valid according to the IPAddr#new method.
          range = IPAddr.new(ip).to_range
--- a/actionpack/test/dispatch/request_test.rb
+++ b/actionpack/test/dispatch/request_test.rb
@ -102,9 +102,6 @@ class RequestIP < BaseRequestTest
    request = stub_request "HTTP_X_FORWARDED_FOR" => "3.4.5.6,127.0.0.1"
    assert_equal "3.4.5.6", request.remote_ip

-    request = stub_request "HTTP_X_FORWARDED_FOR" => "3.4.5.6:1234,127.0.0.1"
-    assert_equal "3.4.5.6", request.remote_ip
-
    request = stub_request "HTTP_X_FORWARDED_FOR" => "unknown,192.168.0.1"
    assert_equal "192.168.0.1", request.remote_ip