/vendor/bundle/jruby/2.1/gems/rack-protection-1.5.3/lib/rack/protection/ip_spoofing.rb

https://github.com/delowong/logstash · Ruby · 23 lines · 15 code · 2 blank · 6 comment · 2 complexity · 9e55edf0dbbc1f64647668947186796b MD5 · raw file 

    

  1. require 'rack/protection'
    2. 

  2. 

  3. module Rack
    4. 

  4.   module Protection
    5. 

  5.     ##
    6. 

  6.     # Prevented attack::   IP spoofing
    7. 

  7.     # Supported browsers:: all
    8. 

  8.     # More infos::         http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/
    9. 

  9.     #
    10. 

  10.     # Detect (some) IP spoofing attacks.
    11. 

  11.     class IPSpoofing < Base
    12. 

  12.       default_reaction :deny
    13. 

  13. 

  14.       def accepts?(env)
    15. 

  15.         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
    16. 

  16.         ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
    17. 

  17.         return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
    18. 

  18.         return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
    19. 

  19.         true
    20. 

  20.       end
    21. 

  21.     end
    22. 

  22.   end
    23. 

  23. end
    24.