actionpack 3.2.19 → 4.0.0

data/lib/action_dispatch/middleware/flash.rb

@@ -1,23 +1,23 @@
 module ActionDispatch
-  class Request
+  class Request < Rack::Request
     # Access the contents of the flash. Use <tt>flash["notice"]</tt> to
     # read a notice you put there or <tt>flash["notice"] = "hello"</tt>
     # to put a new one.
     def flash
-      @env[Flash::KEY] ||= (session["flash"] || Flash::FlashHash.new)
+      @env[Flash::KEY] ||= Flash::FlashHash.from_session_value(session["flash"])
     end
   end
 
   # The flash provides a way to pass temporary objects between actions. Anything you place in the flash will be exposed
   # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
   # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
-  # then expose the flash to its template. Actually, that exposure is automatically done. Example:
+  # then expose the flash to its template. Actually, that exposure is automatically done.
   #
   #   class PostsController < ActionController::Base
   #     def create
   #       # save post
   #       flash[:notice] = "Post successfully created"
-  #       redirect_to posts_path(@post)
+  #       redirect_to @post
   #     end
   #
   #     def show
@@ -59,28 +59,41 @@ module ActionDispatch
         @flash[k]
       end
 
-      # Convenience accessor for flash.now[:alert]=
+      # Convenience accessor for <tt>flash.now[:alert]=</tt>.
       def alert=(message)
         self[:alert] = message
       end
 
-      # Convenience accessor for flash.now[:notice]=
+      # Convenience accessor for <tt>flash.now[:notice]=</tt>.
       def notice=(message)
         self[:notice] = message
       end
     end
 
-    # Implementation detail: please do not change the signature of the
-    # FlashHash class. Doing that will likely affect all Rails apps in
-    # production as the FlashHash currently stored in their sessions will
-    # become invalid.
     class FlashHash
       include Enumerable
 
-      def initialize #:nodoc:
-        @used    = Set.new
-        @closed  = false
-        @flashes = {}
+      def self.from_session_value(value)
+        flash = case value
+                when FlashHash # Rails 3.1, 3.2
+                  new(value.instance_variable_get(:@flashes), value.instance_variable_get(:@used))
+                when Hash # Rails 4.0
+                  new(value['flashes'], value['discard'])
+                else
+                  new
+                end
+
+        flash.tap(&:sweep)
+      end
+
+      def to_session_value
+        return nil if empty?
+        {'discard' => @discard.to_a, 'flashes' => @flashes}
+      end
+
+      def initialize(flashes = {}, discard = []) #:nodoc:
+        @discard = Set.new(discard)
+        @flashes = flashes
         @now     = nil
       end
 
@@ -92,8 +105,8 @@ module ActionDispatch
         super
       end
 
-      def []=(k, v) #:nodoc:
-        keep(k)
+      def []=(k, v)
+        @discard.delete k
         @flashes[k] = v
       end
 
@@ -102,7 +115,7 @@ module ActionDispatch
       end
 
       def update(h) #:nodoc:
-        h.keys.each { |k| keep(k) }
+        @discard.subtract h.keys
         @flashes.update h
         self
       end
@@ -116,6 +129,7 @@ module ActionDispatch
       end
 
       def delete(key)
+        @discard.delete key
         @flashes.delete key
         self
       end
@@ -129,6 +143,7 @@ module ActionDispatch
       end
 
       def clear
+        @discard.clear
         @flashes.clear
       end
 
@@ -139,7 +154,7 @@ module ActionDispatch
       alias :merge! :update
 
       def replace(h) #:nodoc:
-        @used = Set.new
+        @discard.clear
         @flashes.replace h
         self
       end
@@ -154,6 +169,14 @@ module ActionDispatch
       # vanish when the current action is done.
       #
       # Entries set via <tt>now</tt> are accessed the same way as standard entries: <tt>flash['my-key']</tt>.
+      #
+      # Also, brings two convenience accessors:
+      #
+      #   flash.now.alert = "Beware now!"
+      #   # Equivalent to flash.now[:alert] = "Beware now!"
+      #
+      #   flash.now.notice = "Good luck now!"
+      #   # Equivalent to flash.now[:notice] = "Good luck now!"
       def now
         @now ||= FlashNow.new(self)
       end
@@ -163,7 +186,8 @@ module ActionDispatch
       #    flash.keep            # keeps the entire flash
       #    flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
       def keep(k = nil)
-        use(k, false)
+        @discard.subtract Array(k || keys)
+        k ? self[k] : self
       end
 
       # Marks the entire flash or a single flash entry to be discarded by the end of the current action:
@@ -171,63 +195,42 @@ module ActionDispatch
       #     flash.discard              # discard the entire flash at the end of the current action
       #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
       def discard(k = nil)
-        use(k)
+        @discard.merge Array(k || keys)
+        k ? self[k] : self
       end
 
       # Mark for removal entries that were kept, and delete unkept ones.
       #
       # This method is called automatically by filters, so you generally don't need to care about it.
       def sweep #:nodoc:
-        keys.each do |k|
-          unless @used.include?(k)
-            @used << k
-          else
-            delete(k)
-            @used.delete(k)
-          end
-        end
-
-        # clean up after keys that could have been left over by calling reject! or shift on the flash
-        (@used - keys).each{ |k| @used.delete(k) }
+        @discard.each { |k| @flashes.delete k }
+        @discard.replace @flashes.keys
       end
 
-      # Convenience accessor for flash[:alert]
+      # Convenience accessor for <tt>flash[:alert]</tt>.
       def alert
         self[:alert]
       end
 
-      # Convenience accessor for flash[:alert]=
+      # Convenience accessor for <tt>flash[:alert]=</tt>.
       def alert=(message)
         self[:alert] = message
       end
 
-      # Convenience accessor for flash[:notice]
+      # Convenience accessor for <tt>flash[:notice]</tt>.
       def notice
         self[:notice]
       end
 
-      # Convenience accessor for flash[:notice]=
+      # Convenience accessor for <tt>flash[:notice]=</tt>.
       def notice=(message)
         self[:notice] = message
       end
 
       protected
-
-        def now_is_loaded?
-          !!@now
-        end
-
-        # Used internally by the <tt>keep</tt> and <tt>discard</tt> methods
-        #     use()               # marks the entire flash as used
-        #     use('msg')          # marks the "msg" entry as used
-        #     use(nil, false)     # marks the entire flash as unused (keeps it around for one more action)
-        #     use('msg', false)   # marks the "msg" entry as unused (keeps it around for one more action)
-        # Returns the single value for the key you asked to be marked (un)used or the FlashHash itself
-        # if no key is passed.
-        def use(key = nil, used = true)
-          Array(key || keys).each { |k| used ? @used << k : @used.delete(k) }
-          return key ? self[key] : self
-        end
+      def now_is_loaded?
+        @now
+      end
     end
 
     def initialize(app)
@@ -235,18 +238,14 @@ module ActionDispatch
     end
 
     def call(env)
-      if (session = env['rack.session']) && (flash = session['flash'])
-        flash.sweep
-      end
-
       @app.call(env)
     ensure
-      session    = env['rack.session'] || {}
+      session    = Request::Session.find(env) || {}
       flash_hash = env[KEY]
 
       if flash_hash
         if !flash_hash.empty? || session.key?('flash')
-          session["flash"] = flash_hash
+          session["flash"] = flash_hash.to_session_value
           new_hash = flash_hash.dup
         else
           new_hash = flash_hash
@@ -255,7 +254,8 @@ module ActionDispatch
         env[KEY] = new_hash
       end
 
-      if session.key?('flash') && session['flash'].empty?
+      if (!session.respond_to?(:loaded?) || session.loaded?) && # (reset_session uses {}, which doesn't implement #loaded?)
+         session.key?('flash') && session['flash'].nil?
         session.delete('flash')
       end
     end

data/lib/action_dispatch/middleware/params_parser.rb

@@ -4,10 +4,16 @@ require 'active_support/core_ext/hash/indifferent_access'
 
 module ActionDispatch
   class ParamsParser
-    DEFAULT_PARSERS = {
-      Mime::XML => :xml_simple,
-      Mime::JSON => :json
-    }
+    class ParseError < StandardError
+      attr_reader :original_exception
+
+      def initialize(message, original_exception)
+        super(message)
+        @original_exception = original_exception
+      end
+    end
+
+    DEFAULT_PARSERS = { Mime::JSON => :json }
 
     def initialize(app, parsers = {})
       @app, @parsers = app, DEFAULT_PARSERS.merge(parsers)
@@ -27,49 +33,28 @@ module ActionDispatch
 
         return false if request.content_length.zero?
 
-        mime_type = content_type_from_legacy_post_data_format_header(env) ||
-          request.content_mime_type
-
-        strategy = @parsers[mime_type]
+        strategy = @parsers[request.content_mime_type]
 
         return false unless strategy
 
         case strategy
         when Proc
           strategy.call(request.raw_post)
-        when :xml_simple, :xml_node
-          data = request.deep_munge(Hash.from_xml(request.body.read) || {})
-          request.body.rewind if request.body.respond_to?(:rewind)
-          data.with_indifferent_access
-        when :yaml
-          YAML.load(request.raw_post)
         when :json
           data = ActiveSupport::JSON.decode(request.body)
-          request.body.rewind if request.body.respond_to?(:rewind)
           data = {:_json => data} unless data.is_a?(Hash)
           request.deep_munge(data).with_indifferent_access
         else
           false
         end
-      rescue Exception => e # YAML, XML or Ruby code block errors
+      rescue Exception => e # JSON or Ruby code block errors
         logger(env).debug "Error occurred while parsing request parameters.\nContents:\n\n#{request.raw_post}"
 
-        raise e
-      end
-
-      def content_type_from_legacy_post_data_format_header(env)
-        if x_post_format = env['HTTP_X_POST_DATA_FORMAT']
-          case x_post_format.to_s.downcase
-          when 'yaml' then return Mime::YAML
-          when 'xml'  then return Mime::XML
-          end
-        end
-
-        nil
+        raise ParseError.new(e.message, e)
       end
 
       def logger(env)
-        env['action_dispatch.logger'] || Logger.new($stderr)
+        env['action_dispatch.logger'] || ActiveSupport::Logger.new($stderr)
       end
   end
 end

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -1,5 +1,4 @@
 module ActionDispatch
-  # A simple Rack application that renders exceptions in the given public path.
   class PublicExceptions
     attr_accessor :public_path
 
@@ -8,23 +7,40 @@ module ActionDispatch
     end
 
     def call(env)
-      status      = env["PATH_INFO"][1..-1]
-      locale_path = "#{public_path}/#{status}.#{I18n.locale}.html" if I18n.locale
-      path        = "#{public_path}/#{status}.html"
-
-      if locale_path && File.exist?(locale_path)
-        render(status, File.read(locale_path))
-      elsif File.exist?(path)
-        render(status, File.read(path))
+      status       = env["PATH_INFO"][1..-1]
+      request      = ActionDispatch::Request.new(env)
+      content_type = request.formats.first
+      body         = { :status => status, :error => Rack::Utils::HTTP_STATUS_CODES.fetch(status.to_i, Rack::Utils::HTTP_STATUS_CODES[500]) }
+
+      render(status, content_type, body)
+    end
+
+    private
+
+    def render(status, content_type, body)
+      format = "to_#{content_type.to_sym}" if content_type
+      if format && body.respond_to?(format)
+        render_format(status, content_type, body.public_send(format))
       else
-        [404, { "X-Cascade" => "pass" }, []]
+        render_html(status)
       end
     end
 
-    private
+    def render_format(status, content_type, body)
+      [status, {'Content-Type' => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
+                'Content-Length' => body.bytesize.to_s}, [body]]
+    end
+
+    def render_html(status)
+      found = false
+      path = "#{public_path}/#{status}.#{I18n.locale}.html" if I18n.locale
+      path = "#{public_path}/#{status}.html" unless path && (found = File.exist?(path))
 
-    def render(status, body)
-      [status, {'Content-Type' => "text/html; charset=#{Response.default_charset}", 'Content-Length' => body.bytesize.to_s}, [body]]
+      if found || File.exist?(path)
+        render_format(status, 'text/html', File.read(path))
+      else
+        [404, { "X-Cascade" => "pass" }, []]
+      end
     end
   end
-end
+end

data/lib/action_dispatch/middleware/reloader.rb

@@ -1,5 +1,3 @@
-require 'action_dispatch/middleware/body_proxy'
-
 module ActionDispatch
   # ActionDispatch::Reloader provides prepare and cleanup callbacks,
   # intended to assist with code reloading during development.
@@ -20,10 +18,10 @@ module ActionDispatch
   # classes before they are unloaded.
   #
   # By default, ActionDispatch::Reloader is included in the middleware stack
-  # only in the development environment; specifically, when config.cache_classes
+  # only in the development environment; specifically, when +config.cache_classes+
   # is false. Callbacks may be registered even when it is not included in the
-  # middleware stack, but are executed only when +ActionDispatch::Reloader.prepare!+
-  # or +ActionDispatch::Reloader.cleanup!+ are called manually.
+  # middleware stack, but are executed only when <tt>ActionDispatch::Reloader.prepare!</tt>
+  # or <tt>ActionDispatch::Reloader.cleanup!</tt> are called manually.
   #
   class Reloader
     include ActiveSupport::Callbacks
@@ -62,8 +60,10 @@ module ActionDispatch
     def call(env)
       @validated = @condition.call
       prepare!
+
       response = @app.call(env)
-      response[2] = ActionDispatch::BodyProxy.new(response[2]) { cleanup! }
+      response[2] = ::Rack::BodyProxy.new(response[2]) { cleanup! }
+
       response
     rescue Exception
       cleanup!

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -1,80 +1,186 @@
 module ActionDispatch
+  # This middleware calculates the IP address of the remote client that is
+  # making the request. It does this by checking various headers that could
+  # contain the address, and then picking the last-set address that is not
+  # on the list of trusted IPs. This follows the precedent set by e.g.
+  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
+  # with {reasoning explained at length}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
+  # by @gingerlime. A more detailed explanation of the algorithm is given
+  # at GetIp#calculate_ip.
+  #
+  # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
+  # requires. Some Rack servers simply drop preceding headers, and only report
+  # the value that was {given in the last header}[http://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
+  # If you are behind multiple proxy servers (like Nginx to HAProxy to Unicorn)
+  # then you should test your Rack server to make sure your data is good.
+  #
+  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
+  # This middleware assumes that there is at least one proxy sitting around
+  # and setting headers with the client's remote IP address. If you don't use
+  # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
+  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # care about that, then you need to explicitly drop or ignore those headers
+  # sometime before this middleware runs.
   class RemoteIp
-    class IpSpoofAttackError < StandardError ; end
+    class IpSpoofAttackError < StandardError; end
 
-    # IP addresses that are "trusted proxies" that can be stripped from
-    # the comma-delimited list in the X-Forwarded-For header. See also:
-    # http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
+    # The default trusted IPs list simply includes IP addresses that are
+    # guaranteed by the IP specification to be private addresses. Those will
+    # not be the ultimate client IP in production, and so are discarded. See
+    # http://en.wikipedia.org/wiki/Private_network for details.
     TRUSTED_PROXIES = %r{
-      ^127\.0\.0\.1$                | # localhost
-      ^(10                          | # private IP 10.x.x.x
-        172\.(1[6-9]|2[0-9]|3[0-1]) | # private IP in the range 172.16.0.0 .. 172.31.255.255
-        192\.168                      # private IP 192.168.x.x
-       )\.
+      ^127\.0\.0\.1$                | # localhost IPv4
+      ^::1$                         | # localhost IPv6
+      ^fc00:                        | # private IPv6 range fc00
+      ^10\.                         | # private IPv4 range 10.x.x.x
+      ^172\.(1[6-9]|2[0-9]|3[0-1])\.| # private IPv4 range 172.16.0.0 .. 172.31.255.255
+      ^192\.168\.                     # private IPv4 range 192.168.x.x
     }x
 
     attr_reader :check_ip, :proxies
 
+    # Create a new +RemoteIp+ middleware instance.
+    #
+    # The +check_ip_spoofing+ option is on by default. When on, an exception
+    # is raised if it looks like the client is trying to lie about its own IP
+    # address. It makes sense to turn off this check on sites aimed at non-IP
+    # clients (like WAP devices), or behind proxies that set headers in an
+    # incorrect or confusing way (like AWS ELB).
+    #
+    # The +custom_trusted+ argument can take a regex, which will be used
+    # instead of +TRUSTED_PROXIES+, or a string, which will be used in addition
+    # to +TRUSTED_PROXIES+. Any proxy setup will put the value you want in the
+    # middle (or at the beginning) of the X-Forwarded-For list, with your proxy
+    # servers after it. If your proxies aren't removed, pass them in via the
+    # +custom_trusted+ parameter. That way, the middleware will ignore those
+    # IP addresses, and return the one that you want.
     def initialize(app, check_ip_spoofing = true, custom_proxies = nil)
       @app = app
       @check_ip = check_ip_spoofing
-      if custom_proxies
-        custom_regexp = Regexp.new(custom_proxies)
-        @proxies = Regexp.union(TRUSTED_PROXIES, custom_regexp)
-      else
-        @proxies = TRUSTED_PROXIES
-      end
+      @proxies = case custom_proxies
+        when Regexp
+          custom_proxies
+        when nil
+          TRUSTED_PROXIES
+        else
+          Regexp.union(TRUSTED_PROXIES, custom_proxies)
+        end
     end
 
+    # Since the IP address may not be needed, we store the object here
+    # without calculating the IP to keep from slowing down the majority of
+    # requests. For those requests that do need to know the IP, the
+    # GetIp#calculate_ip method will calculate the memoized client IP address.
     def call(env)
       env["action_dispatch.remote_ip"] = GetIp.new(env, self)
       @app.call(env)
     end
 
+    # The GetIp class exists as a way to defer processing of the request data
+    # into an actual IP address. If the ActionDispatch::Request#remote_ip method
+    # is called, this class will calculate the value and then memoize it.
     class GetIp
+
+      # This constant contains a regular expression that validates every known
+      # form of IP v4 and v6 address, with or without abbreviations, adapted
+      # from {this gist}[https://gist.github.com/gazay/1289635].
+      VALID_IP = %r{
+        (^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[0-9]{1,2})(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[0-9]{1,2})){3}$)                                                        | # ip v4
+        (^(
+        (([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})                                                                                                                   | # ip v6 not abbreviated
+        (([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})                                                                                                                  | # ip v6 with double colon in the end
+        (([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})                                                                                              | # - ip addresses v6
+        (([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})                                                                                          | # - with
+        (([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})                                                                                          | # - double colon
+        (([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})                                                                                          | # - in the middle
+        (([0-9A-Fa-f]{1,4}:){6} ((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3} (\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))                            | # ip v6 with compatible to v4
+        (([0-9A-Fa-f]{1,4}:){1,5}:((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))                           | # ip v6 with compatible to v4
+        (([0-9A-Fa-f]{1,4}:){1}:([0-9A-Fa-f]{1,4}:){0,4}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))     | # ip v6 with compatible to v4
+        (([0-9A-Fa-f]{1,4}:){0,2}:([0-9A-Fa-f]{1,4}:){0,3}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))   | # ip v6 with compatible to v4
+        (([0-9A-Fa-f]{1,4}:){0,3}:([0-9A-Fa-f]{1,4}:){0,2}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))   | # ip v6 with compatible to v4
+        (([0-9A-Fa-f]{1,4}:){0,4}:([0-9A-Fa-f]{1,4}:){1}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))     | # ip v6 with compatible to v4
+        (::([0-9A-Fa-f]{1,4}:){0,5}((\b((25[0-5])|(1\d{2})|(2[0-4]\d) |(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))                         | # ip v6 with compatible to v4
+        ([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})                                                                                               | # ip v6 with compatible to v4
+        (::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})                                                                                                               | # ip v6 with double colon at the beginning
+        (([0-9A-Fa-f]{1,4}:){1,7}:)                                                                                                                                  # ip v6 without ending
+        )$)
+      }x
+
       def initialize(env, middleware)
-        @env          = env
-        @middleware   = middleware
-        @calculated_ip = false
+        @env      = env
+        @check_ip = middleware.check_ip
+        @proxies  = middleware.proxies
       end
 
-      # Determines originating IP address. REMOTE_ADDR is the standard
-      # but will be wrong if the user is behind a proxy. Proxies will set
-      # HTTP_CLIENT_IP and/or HTTP_X_FORWARDED_FOR, so we prioritize those.
-      # HTTP_X_FORWARDED_FOR may be a comma-delimited list in the case of
-      # multiple chained proxies. The last address which is not a known proxy
-      # will be the originating IP.
+      # Sort through the various IP address headers, looking for the IP most
+      # likely to be the address of the actual remote client making this
+      # request.
+      #
+      # REMOTE_ADDR will be correct if the request is made directly against the
+      # Ruby process, on e.g. Heroku. When the request is proxied by another
+      # server like HAProxy or Nginx, the IP address that made the original
+      # request will be put in an X-Forwarded-For header. If there are multiple
+      # proxies, that header may contain a list of IPs. Other proxy services
+      # set the Client-Ip header instead, so we check that too.
+      #
+      # As discussed in {this post about Rails IP Spoofing}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
+      # while the first IP in the list is likely to be the "originating" IP,
+      # it could also have been set by the client maliciously.
+      #
+      # In order to find the first address that is (probably) accurate, we
+      # take the list of IPs, remove known and trusted proxies, and then take
+      # the last address left, which was presumably set by one of those proxies.
       def calculate_ip
-        client_ip     = @env['HTTP_CLIENT_IP']
-        forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR')
-        remote_addrs  = ips_from('REMOTE_ADDR')
+        # Set by the Rack web server, this is a single value.
+        remote_addr = ips_from('REMOTE_ADDR').last
 
-        check_ip = client_ip && forwarded_ips.present? && @middleware.check_ip
-        if check_ip && !forwarded_ips.include?(client_ip)
+        # Could be a CSV list and/or repeated headers that were concatenated.
+        client_ips    = ips_from('HTTP_CLIENT_IP').reverse
+        forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR').reverse
+
+        # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
+        # If they are both set, it means that this request passed through two
+        # proxies with incompatible IP header conventions, and there is no way
+        # for us to determine which header is the right one after the fact.
+        # Since we have no idea, we give up and explode.
+        should_check_ip = @check_ip && client_ips.last
+        if should_check_ip && !forwarded_ips.include?(client_ips.last)
           # We don't know which came from the proxy, and which from the user
-          raise IpSpoofAttackError, "IP spoofing attack?!" \
-            "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect}" \
+          raise IpSpoofAttackError, "IP spoofing attack?! " +
+            "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect} " +
             "HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
         end
 
-        not_proxy = client_ip || forwarded_ips.last || remote_addrs.first
+        # We assume these things about the IP headers:
+        #
+        #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
+        #   - Client-Ip is propagated from the outermost proxy, or is blank
+        #   - REMOTE_ADDR will be the IP that made the request to Rack
+        ips = [forwarded_ips, client_ips, remote_addr].flatten.compact
 
-        # Return first REMOTE_ADDR if there are no other options
-        not_proxy || ips_from('REMOTE_ADDR', :allow_proxies).first
+        # If every single IP option is in the trusted list, just return REMOTE_ADDR
+        filter_proxies(ips).first || remote_addr
       end
 
+      # Memoizes the value returned by #calculate_ip and returns it for
+      # ActionDispatch::Request to use.
       def to_s
-        return @ip if @calculated_ip
-        @calculated_ip = true
-        @ip = calculate_ip
+        @ip ||= calculate_ip
       end
 
     protected
 
-      def ips_from(header, allow_proxies = false)
+      def ips_from(header)
+        # Split the comma-separated list into an array of strings
         ips = @env[header] ? @env[header].strip.split(/[,\s]+/) : []
-        allow_proxies ? ips : ips.reject{|ip| ip =~ @middleware.proxies }
+        # Only return IPs that are valid according to the regex
+        ips.select{ |ip| ip =~ VALID_IP }
+      end
+
+      def filter_proxies(ips)
+        ips.reject { |ip| ip =~ @proxies }
       end
+
     end
 
   end