From 8544c9c23687964ab754c06a7745215a5369a4e0 Mon Sep 17 00:00:00 2001
From: Nick Soracco <nick.soracco@ring.com>
Date: Thu, 2 Jan 2020 11:50:06 -0800
Subject: [PATCH] Minor fix to correctly identify the entire scope of the
 loopback address, per RFC-3330.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From #38142

[Rafael Mendonça França + Nick Soracco]
---
 actionpack/CHANGELOG.md                                | 4 ++++
 actionpack/lib/action_dispatch/middleware/remote_ip.rb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d80073886b..346ff39c46 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Correctly identify the entire localhost IPv4 range as trusted proxy.
+
+    *Nick Soracco*
+
 *   `url_for` will now use "https://" as the default protocol when
     `Rails.application.config.force_ssl` is set to true.
 
diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
index feea3cf077..02ab819dc1 100644
--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -33,7 +33,7 @@ module ActionDispatch
     # not be the ultimate client IP in production, and so are discarded. See
     # https://en.wikipedia.org/wiki/Private_network for details.
     TRUSTED_PROXIES = [
-      "127.0.0.1",      # localhost IPv4
+      "127.0.0.0/8",    # localhost IPv4 range, per RFC-3330
       "::1",            # localhost IPv6
       "fc00::/7",       # private IPv6 range fc00::/7
       "10.0.0.0/8",     # private IPv4 range 10.x.x.x