1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/actionpack
Duncan Brown fbf1d82e0d
Don’t ignore X-Forwarded-For IPs with ports attached
Rack decided to tolerate proxies which choose to attach ports to
X-Forwarded-For IPs by stripping the port:
https://github.com/rack/rack/pull/1251. Attaching a port is rare in the
wild but some proxies (notably Microsoft Azure's App Service) do it.

Without this patch, remote_ip will ignore X-Forwarded-For IPs with ports
attached and the return value is less likely to be useful.

Rails should do the same thing. The stripping logic is already available
in Rack::Request::Helpers, so change the X-Forwarded-For retrieval
method from ActionDispatch::Request#x_forwarded_for (which returns the
raw header) to #forwarded_for, which returns a stripped array of IP
addresses, or nil. There may be other benefits hiding in Rack's
implementation.

We can't call ips_from with an array (and legislating for that inside
ips_from doesn't appeal), so refactor out the bit we need to apply in
both cases (verifying the IP is acceptable to IPAddr and that it's not a
range) to a separate method called #sanitize_ips which reduces an array of
maybe-ips to an array of acceptable ones.
2020-05-09 22:23:34 -04:00
..
bin Use frozen string literal in actionpack/ 2017-07-29 14:02:40 +03:00
lib Don’t ignore X-Forwarded-For IPs with ports attached 2020-05-09 22:23:34 -04:00
test Don’t ignore X-Forwarded-For IPs with ports attached 2020-05-09 22:23:34 -04:00
actionpack.gemspec Update minimum Rack version to 2.0.9 2020-04-19 23:28:18 +01:00
CHANGELOG.md Don’t ignore X-Forwarded-For IPs with ports attached 2020-05-09 22:23:34 -04:00
MIT-LICENSE Bump license years from 2019 to 2020 [ci skip] 2020-01-01 15:10:31 +05:30
Rakefile Load framework test files in deterministic order 2019-12-16 16:55:06 +00:00
README.rdoc Update the Rails mailing list URLs to new discuss discourse URL [ci skip] 2020-04-02 22:00:28 +05:30

= Action Pack -- From request to response

Action Pack is a framework for handling and responding to web requests. It
provides mechanisms for *routing* (mapping request URLs to actions), defining
*controllers* that implement actions, and generating responses by rendering
*views*, which are templates of various formats. In short, Action Pack
provides the view and controller layers in the MVC paradigm.

It consists of several modules:

* Action Dispatch, which parses information about the web request, handles
  routing as defined by the user, and does advanced processing related to HTTP
  such as MIME-type negotiation, decoding parameters in POST, PATCH, or PUT bodies,
  handling HTTP caching logic, cookies and sessions.

* Action Controller, which provides a base controller class that can be
  subclassed to implement filters and actions to handle requests. The result
  of an action is typically content generated from views.

With the Ruby on Rails framework, users only directly interface with the
Action Controller module. Necessary Action Dispatch functionality is activated
by default and Action View rendering is implicitly triggered by Action
Controller. However, these modules are designed to function on their own and
can be used outside of Rails.

You can read more about Action Pack in the {Action Controller Overview}[https://guides.rubyonrails.org/action_controller_overview.html] guide.

== Download and installation

The latest version of Action Pack can be installed with RubyGems:

  $ gem install actionpack

Source code can be downloaded as part of the Rails project on GitHub:

* https://github.com/rails/rails/tree/master/actionpack


== License

Action Pack is released under the MIT license:

* https://opensource.org/licenses/MIT


== Support

API documentation is at:

* https://api.rubyonrails.org

Bug reports for the Ruby on Rails project can be filed here:

* https://github.com/rails/rails/issues

Feature requests should be discussed on the rails-core mailing list here:

* https://discuss.rubyonrails.org/c/rubyonrails-core