这是我在 Rails 生产环境中发现的错误:
IP spoofing attack?!HTTP_CLIENT_IP="10.127.166.241"HTTP_X_FORWARDED_FOR="10.127.166.241, 61.164.36.180"
actionpack (3.2.11) lib/action_dispatch/middleware/remote_ip.rb:55:in `calculate_ip'
于是我深入到 rails remote_ip.rb源代码,过一遍calculate_ip
,在本地测试,发现它不应该发生,这里是测试代码:
forwarded_ips = "10.127.166.241, 61.164.36.180".strip.split(/[,\s]+/).reverse
client_ips ="10.127.166.241".strip.split(/[,\s]+/).reverse
!forwarded_ips.include?(client_ips.last) # return false?
根据我阅读源代码后的理解,caculate_ip61.164.36.180
会在错误的情况下返回,有人知道为什么吗?谢谢~