fix ReDoS

rack-protection/lib/rack/protection/ip_spoofing.rb

@@ -13,9 +13,11 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
-        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
-        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
+        return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
+        return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
+
         true
       end
     end