From 4e7dce7e40d490a55d95a7fc697483427f081b0e Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Mon, 17 Sep 2007 11:12:10 +0000
Subject: [PATCH] Added security notice to Request#remote_ip underlining the
 fact that its value can be spoofed (and that you should use
 Request#remote_addr if thats a concern for your application) [Adrian
 Holovaty]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7502 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_controller/request.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/actionpack/lib/action_controller/request.rb b/actionpack/lib/action_controller/request.rb
index 0f14ede347..602b7602b6 100755
--- a/actionpack/lib/action_controller/request.rb
+++ b/actionpack/lib/action_controller/request.rb
@@ -119,6 +119,14 @@ module ActionController
     # falling back to REMOTE_ADDR.  HTTP_X_FORWARDED_FOR may be a comma-
     # delimited list in the case of multiple chained proxies; the first is
     # the originating IP.
+    #
+    # Security note: Be aware that since remote_ip will check regular HTTP headers,
+    # it can be tricked by anyone setting those manually. In other words, people can
+    # pose as whatever IP address they like to this method. That doesn't matter if
+    # all your doing is using IP addresses for statistical or geographical information,
+    # but if you want to, for example, limit access to an administrative area by IP,
+    # you should instead use Request#remote_addr, which can't be spoofed (but also won't
+    # survive proxy forwards).
     def remote_ip
       return @env['HTTP_CLIENT_IP'] if @env.include? 'HTTP_CLIENT_IP'