actionpack 7.0.8.4 → 7.1.3.4

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -6,6 +6,8 @@ require "action_dispatch/routing/inspector"
 require "action_view"
 
 module ActionDispatch
+  # = Action Dispatch \DebugExceptions
+  #
   # This middleware is responsible for logging exceptions and
   # showing a debugging page in case the request is local.
   class DebugExceptions
@@ -24,26 +26,26 @@ module ActionDispatch
     end
 
     def call(env)
-      request = ActionDispatch::Request.new env
       _, headers, body = response = @app.call(env)
 
-      if headers["X-Cascade"] == "pass"
+      if headers[Constants::X_CASCADE] == "pass"
         body.close if body.respond_to?(:close)
         raise ActionController::RoutingError, "No route matches [#{env['REQUEST_METHOD']}] #{env['PATH_INFO'].inspect}"
       end
 
       response
     rescue Exception => exception
-      invoke_interceptors(request, exception)
-      raise exception unless request.show_exceptions?
-      render_exception(request, exception)
+      request = ActionDispatch::Request.new env
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+
+      invoke_interceptors(request, exception, wrapper)
+      raise exception unless wrapper.show?(request)
+      render_exception(request, exception, wrapper)
     end
 
     private
-      def invoke_interceptors(request, exception)
-        backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
-        wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
-
+      def invoke_interceptors(request, exception, wrapper)
         @interceptors.each do |interceptor|
           interceptor.call(request, exception)
         rescue Exception
@@ -51,9 +53,7 @@ module ActionDispatch
         end
       end
 
-      def render_exception(request, exception)
-        backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
-        wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+      def render_exception(request, exception, wrapper)
         log_error(request, wrapper)
 
         if request.get_header("action_dispatch.show_detailed_exceptions")
@@ -94,7 +94,7 @@ module ActionDispatch
             wrapper.status_code,
             Rack::Utils::HTTP_STATUS_CODES[500]
           ),
-          exception: wrapper.exception.inspect,
+          exception: wrapper.exception_inspect,
           traces: wrapper.traces
         }
 
@@ -115,19 +115,19 @@ module ActionDispatch
         DebugView.new(
           request: request,
           exception_wrapper: wrapper,
+          # Everything should use the wrapper, but we need to pass
+          # `exception` for legacy code.
           exception: wrapper.exception,
           traces: wrapper.traces,
           show_source_idx: wrapper.source_to_show_id,
           trace_to_show: wrapper.trace_to_show,
-          routes_inspector: routes_inspector(wrapper.exception),
+          routes_inspector: routes_inspector(wrapper),
           source_extracts: wrapper.source_extracts,
-          line_number: wrapper.line_number,
-          file: wrapper.file
         )
       end
 
       def render(status, body, format)
-        [status, { "Content-Type" => "#{format}; charset=#{Response.default_charset}", "Content-Length" => body.bytesize.to_s }, [body]]
+        [status, { Rack::CONTENT_TYPE => "#{format}; charset=#{Response.default_charset}", Rack::CONTENT_LENGTH => body.bytesize.to_s }, [body]]
       end
 
       def log_error(request, wrapper)
@@ -136,26 +136,27 @@ module ActionDispatch
         return unless logger
         return if !log_rescued_responses?(request) && wrapper.rescue_response?
 
-        exception = wrapper.exception
         trace = wrapper.exception_trace
 
         message = []
         message << "  "
-        message << "#{exception.class} (#{exception.message}):"
-        message.concat(exception.annotated_source_code) if exception.respond_to?(:annotated_source_code)
+        message << "#{wrapper.exception_class_name} (#{wrapper.message}):"
+        message.concat(wrapper.annotated_source_code)
         message << "  "
         message.concat(trace)
 
-        log_array(logger, message)
+        log_array(logger, message, request)
       end
 
-      def log_array(logger, lines)
+      def log_array(logger, lines, request)
         return if lines.empty?
 
+        level = request.get_header("action_dispatch.debug_exception_log_level")
+
         if logger.formatter && logger.formatter.respond_to?(:tags_text)
-          logger.fatal lines.join("\n#{logger.formatter.tags_text}")
+          logger.add(level, lines.join("\n#{logger.formatter.tags_text}"))
         else
-          logger.fatal lines.join("\n")
+          logger.add(level, lines.join("\n"))
         end
       end
 
@@ -168,7 +169,7 @@ module ActionDispatch
       end
 
       def routes_inspector(exception)
-        if @routes_app.respond_to?(:routes) && (exception.is_a?(ActionController::RoutingError) || exception.is_a?(ActionView::Template::Error))
+        if @routes_app.respond_to?(:routes) && (exception.routing_error? || exception.template_error?)
           ActionDispatch::Routing::RoutesInspector.new(@routes_app.routes.routes)
         end
       end

data/lib/action_dispatch/middleware/debug_locks.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \DebugLocks
+  #
   # This middleware can be used to diagnose deadlocks in the autoload interlock.
   #
   # To use it, insert it near the top of the middleware stack, using
@@ -97,7 +99,8 @@ module ActionDispatch
           msg << "\n#{info[:backtrace].join("\n")}\n" if info[:backtrace]
         end.join("\n\n---\n\n\n")
 
-        [200, { "Content-Type" => "text/plain", "Content-Length" => str.size }, [str]]
+        [200, { Rack::CONTENT_TYPE => "text/plain; charset=#{ActionDispatch::Response.default_charset}",
+                Rack::CONTENT_LENGTH => str.size.to_s }, [str]]
       end
 
       def blocked_by?(victim, blocker, all_threads)

data/lib/action_dispatch/middleware/debug_view.rb

@@ -7,18 +7,23 @@ require "action_view/base"
 
 module ActionDispatch
   class DebugView < ActionView::Base # :nodoc:
-    RESCUES_TEMPLATE_PATH = File.expand_path("templates", __dir__)
+    RESCUES_TEMPLATE_PATHS = [File.expand_path("templates", __dir__)]
 
     def initialize(assigns)
-      paths = [RESCUES_TEMPLATE_PATH]
+      paths = RESCUES_TEMPLATE_PATHS.dup
       lookup_context = ActionView::LookupContext.new(paths)
       super(lookup_context, assigns, nil)
+      @exception_wrapper = assigns[:exception_wrapper]
     end
 
     def compiled_method_container
       self.class
     end
 
+    def error_highlight_available?
+      @exception_wrapper.error_highlight_available?
+    end
+
     def debug_params(params)
       clean_params = params.clone
       clean_params.delete("action")

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/module/attribute_accessors"
+require "active_support/syntax_error_proxy"
+require "active_support/core_ext/thread/backtrace/location"
 require "rack/utils"
 
 module ActionDispatch
@@ -41,22 +43,76 @@ module ActionDispatch
       "ActionDispatch::Http::MimeNegotiation::InvalidType"
     ]
 
-    attr_reader :backtrace_cleaner, :exception, :wrapped_causes, :line_number, :file
+    attr_reader :backtrace_cleaner, :wrapped_causes, :exception_class_name, :exception
 
     def initialize(backtrace_cleaner, exception)
       @backtrace_cleaner = backtrace_cleaner
-      @exception = exception
-      @exception_class_name = @exception.class.name
+      @exception_class_name = exception.class.name
       @wrapped_causes = wrapped_causes_for(exception, backtrace_cleaner)
+      @exception = exception
+      if exception.is_a?(SyntaxError)
+        @exception = ActiveSupport::SyntaxErrorProxy.new(exception)
+      end
+      @backtrace = build_backtrace
+    end
+
+    def routing_error?
+      @exception.is_a?(ActionController::RoutingError)
+    end
 
-      expand_backtrace if exception.is_a?(SyntaxError) || exception.cause.is_a?(SyntaxError)
+    def template_error?
+      @exception.is_a?(ActionView::Template::Error)
+    end
+
+    def sub_template_message
+      @exception.sub_template_message
+    end
+
+    def has_cause?
+      @exception.cause
+    end
+
+    def failures
+      @exception.failures
+    end
+
+    def has_corrections?
+      @exception.respond_to?(:original_message) && @exception.respond_to?(:corrections)
+    end
+
+    def original_message
+      @exception.original_message
+    end
+
+    def corrections
+      @exception.corrections
+    end
+
+    def file_name
+      @exception.file_name
+    end
+
+    def line_number
+      @exception.line_number
+    end
+
+    def actions
+      ActiveSupport::ActionableError.actions(@exception)
     end
 
     def unwrapped_exception
       if wrapper_exceptions.include?(@exception_class_name)
-        exception.cause
+        @exception.cause
+      else
+        @exception
+      end
+    end
+
+    def annotated_source_code
+      if exception.respond_to?(:annotated_source_code)
+        exception.annotated_source_code
       else
-        exception
+        []
       end
     end
 
@@ -118,21 +174,44 @@ module ActionDispatch
       Rack::Utils.status_code(@@rescue_responses[class_name])
     end
 
+    def show?(request)
+      # We're treating `nil` as "unset", and we want the default setting to be
+      # `:all`. This logic should be extracted to `env_config` and calculated
+      # once.
+      config = request.get_header("action_dispatch.show_exceptions")
+
+      # Include true and false for backwards compatibility.
+      case config
+      when :none
+        false
+      when :rescuable
+        rescue_response?
+      when true
+        ActionDispatch.deprecator.warn("Setting action_dispatch.show_exceptions to true is deprecated. Set to :all instead.")
+        true
+      when false
+        ActionDispatch.deprecator.warn("Setting action_dispatch.show_exceptions to false is deprecated. Set to :none instead.")
+        false
+      else
+        true
+      end
+    end
+
     def rescue_response?
       @@rescue_responses.key?(exception.class.name)
     end
 
     def source_extracts
       backtrace.map do |trace|
-        file, line_number = extract_file_and_line_number(trace)
-
-        {
-          code: source_fragment(file, line_number),
-          line_number: line_number
-        }
+        extract_source(trace)
       end
     end
 
+    def error_highlight_available?
+      # ErrorHighlight.spot with backtrace_location keyword is available since error_highlight 0.4.0
+      defined?(ErrorHighlight) && Gem::Version.new(ErrorHighlight::VERSION) >= Gem::Version.new("0.4.0")
+    end
+
     def trace_to_show
       if traces["Application Trace"].empty? && rescue_template != "routing_error"
         "Full Trace"
@@ -145,9 +224,65 @@ module ActionDispatch
       (traces[trace_to_show].first || {})[:id]
     end
 
+    def exception_name
+      exception.cause.class.to_s
+    end
+
+    def message
+      exception.message
+    end
+
+    def exception_inspect
+      exception.inspect
+    end
+
+    def exception_id
+      exception.object_id
+    end
+
     private
-      def backtrace
-        Array(@exception.backtrace)
+      class SourceMapLocation < DelegateClass(Thread::Backtrace::Location) # :nodoc:
+        def initialize(location, template)
+          super(location)
+          @template = template
+        end
+
+        def spot(exc)
+          if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location) && __getobj__.is_a?(Thread::Backtrace::Location)
+            location = @template.spot(__getobj__)
+          else
+            location = super
+          end
+
+          if location
+            @template.translate_location(__getobj__, location)
+          end
+        end
+      end
+
+      attr_reader :backtrace
+
+      def build_backtrace
+        built_methods = {}
+
+        ActionView::PathRegistry.all_resolvers.each do |resolver|
+          resolver.built_templates.each do |template|
+            built_methods[template.method_name] = template
+          end
+        end
+
+        (@exception.backtrace_locations || []).map do |loc|
+          if built_methods.key?(loc.label.to_s)
+            thread_backtrace_location = if loc.respond_to?(:__getobj__)
+              loc.__getobj__
+            else
+              loc
+            end
+            SourceMapLocation.new(thread_backtrace_location, built_methods[loc.label.to_s])
+          else
+            loc
+          end
+        end
       end
 
       def causes_for(exception)
@@ -168,29 +303,53 @@ module ActionDispatch
         end
       end
 
+      def extract_source(trace)
+        spot = trace.spot(@exception)
+
+        if spot
+          line = spot[:first_lineno]
+          code = extract_source_fragment_lines(spot[:script_lines], line)
+
+          if line == spot[:last_lineno]
+            code[line] = [
+              code[line][0, spot[:first_column]],
+              code[line][spot[:first_column]...spot[:last_column]],
+              code[line][spot[:last_column]..-1],
+            ]
+          end
+
+          return {
+            code: code,
+            line_number: line
+          }
+        end
+
+        file, line_number = extract_file_and_line_number(trace)
+
+        {
+          code: source_fragment(file, line_number),
+          line_number: line_number
+        }
+      end
+
+      def extract_source_fragment_lines(source_lines, line)
+        start = [line - 3, 0].max
+        lines = source_lines.drop(start).take(6)
+        Hash[*(start + 1..(lines.count + start)).zip(lines).flatten]
+      end
+
       def source_fragment(path, line)
         return unless Rails.respond_to?(:root) && Rails.root
         full_path = Rails.root.join(path)
         if File.exist?(full_path)
           File.open(full_path, "r") do |file|
-            start = [line - 3, 0].max
-            lines = file.each_line.drop(start).take(6)
-            Hash[*(start + 1..(lines.count + start)).zip(lines).flatten]
+            extract_source_fragment_lines(file.each_line, line)
           end
         end
       end
 
       def extract_file_and_line_number(trace)
-        # Split by the first colon followed by some digits, which works for both
-        # Windows and Unix path styles.
-        file, line = trace.match(/^(.+?):(\d+).*$/, &:captures) || trace
-        [file, line.to_i]
-      end
-
-      def expand_backtrace
-        @exception.backtrace.unshift(
-          @exception.to_s.split("\n")
-        ).flatten!
+        [trace.path, trace.lineno]
       end
   end
 end

data/lib/action_dispatch/middleware/executor.rb

@@ -14,7 +14,7 @@ module ActionDispatch
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
       rescue => error
-        @executor.error_reporter.report(error, handled: false)
+        @executor.error_reporter.report(error, handled: false, source: "application.action_dispatch")
         raise
       ensure
         state.complete! unless returned

data/lib/action_dispatch/middleware/flash.rb

@@ -3,6 +3,8 @@
 require "active_support/core_ext/hash/keys"
 
 module ActionDispatch
+  # = Action Dispatch \Flash
+  #
   # The flash provides a way to pass temporary primitive-types (String, Array, Hash) between actions. Anything you place in the flash will be exposed
   # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
   # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
@@ -175,6 +177,8 @@ module ActionDispatch
         @flashes.key? name.to_s
       end
 
+      # Immediately deletes the single flash entry. Use this method when you
+      # want remove the message within the current action. See also #discard.
       def delete(key)
         key = key.to_s
         @discard.delete key
@@ -243,6 +247,9 @@ module ActionDispatch
       #
       #     flash.discard              # discard the entire flash at the end of the current action
       #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
+      #
+      # Use this method when you want to display the message in the current
+      # action but not in the next one. See also #delete.
       def discard(k = nil)
         k = k.to_s if k
         @discard.merge Array(k || keys)

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \HostAuthorization
+  #
   # This middleware guards from DNS rebinding attacks by explicitly permitting
   # the hosts a request can be sent to, and is passed the options set in
   # +config.host_authorization+.
@@ -18,6 +20,7 @@ module ActionDispatch
   class HostAuthorization
     ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
     PORT_REGEX = /(?::\d+)/ # :nodoc:
+    SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\.)/i # :nodoc:
     IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
     IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
     IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
@@ -69,7 +72,7 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
+            /\A#{SUBDOMAIN_REGEX}?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
             /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
@@ -101,8 +104,8 @@ module ActionDispatch
 
         def response(format, body)
           [RESPONSE_STATUS,
-           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-             "Content-Length" => body.bytesize.to_s },
+           { Rack::CONTENT_TYPE => "#{format}; charset=#{Response.default_charset}",
+             Rack::CONTENT_LENGTH => body.bytesize.to_s },
            [body]]
         end
 

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \PublicExceptions
+  #
   # When called, this middleware renders an error page. By default if an HTML
   # response is expected it will render static error pages from the <tt>/public</tt>
   # directory. For example when this middleware receives a 500 response it will
@@ -42,8 +44,8 @@ module ActionDispatch
       end
 
       def render_format(status, content_type, body)
-        [status, { "Content-Type" => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
-                  "Content-Length" => body.bytesize.to_s }, [body]]
+        [status, { Rack::CONTENT_TYPE => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
+                  Rack::CONTENT_LENGTH => body.bytesize.to_s }, [body]]
       end
 
       def render_html(status)
@@ -53,7 +55,7 @@ module ActionDispatch
         if found || File.exist?(path)
           render_format(status, "text/html", File.read(path))
         else
-          [404, { "X-Cascade" => "pass" }, []]
+          [404, { Constants::X_CASCADE => "pass" }, []]
         end
       end
   end

data/lib/action_dispatch/middleware/reloader.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 module ActionDispatch
-  # ActionDispatch::Reloader wraps the request with callbacks provided by ActiveSupport::Reloader
-  # callbacks, intended to assist with code reloading during development.
+  # = Action Dispatch \Reloader
   #
-  # By default, ActionDispatch::Reloader is included in the middleware stack
-  # only in the development environment; specifically, when +config.cache_classes+
-  # is false.
+  # ActionDispatch::Reloader wraps the request with callbacks provided by
+  # ActiveSupport::Reloader, intended to assist with code reloading during
+  # development.
+  #
+  # ActionDispatch::Reloader is included in the middleware stack only if
+  # reloading is enabled, which it is by the default in +development+ mode.
   class Reloader < Executor
   end
 end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -3,14 +3,14 @@
 require "ipaddr"
 
 module ActionDispatch
+  # = Action Dispatch \RemoteIp
+  #
   # This middleware calculates the IP address of the remote client that is
   # making the request. It does this by checking various headers that could
   # contain the address, and then picking the last-set address that is not
   # on the list of trusted IPs. This follows the precedent set by e.g.
-  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
-  # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
-  # by @gingerlime. A more detailed explanation of the algorithm is given
-  # at GetIp#calculate_ip.
+  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453].
+  # A more detailed explanation of the algorithm is given at GetIp#calculate_ip.
   #
   # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
   # requires. Some Rack servers simply drop preceding headers, and only report
@@ -24,7 +24,8 @@ module ActionDispatch
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
   # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
-  # sometime before this middleware runs.
+  # sometime before this middleware runs. Alternatively, remove this middleware
+  # to avoid inadvertently relying on it.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
@@ -65,9 +66,9 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
-        ActiveSupport::Deprecation.warn(<<~EOM)
-          Setting config.action_dispatch.trusted_proxies to a single value has
-          been deprecated. Please set this to an enumerable instead. For
+        raise(ArgumentError, <<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value isn't
+          supported. Please set this to an enumerable instead. For
           example, instead of:
 
           config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
@@ -76,10 +77,8 @@ module ActionDispatch
 
           config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
 
-          Note that unlike passing a single argument, passing an enumerable
-          will *replace* the default set of trusted proxies.
+          Note that passing an enumerable will *replace* the default set of trusted proxies.
         EOM
-        Array(custom_proxies) + TRUSTED_PROXIES
       end
     end
 
@@ -114,7 +113,7 @@ module ActionDispatch
       # proxies, that header may contain a list of IPs. Other proxy services
       # set the +Client-Ip+ header instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
+      # As discussed in {this post about Rails IP Spoofing}[https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,
       # it could also have been set by the client maliciously.
       #
@@ -126,8 +125,8 @@ module ActionDispatch
         remote_addr = ips_from(@req.remote_addr).last
 
         # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = ips_from(@req.client_ip).reverse
-        forwarded_ips = ips_from(@req.x_forwarded_for).reverse
+        client_ips    = ips_from(@req.client_ip).reverse!
+        forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
 
         # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
         # If they are both set, it means that either:
@@ -155,7 +154,8 @@ module ActionDispatch
         #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
         #   - Client-Ip is propagated from the outermost proxy, or is blank
         #   - REMOTE_ADDR will be the IP that made the request to Rack
-        ips = [forwarded_ips, client_ips].flatten.compact
+        ips = forwarded_ips + client_ips
+        ips.compact!
 
         # If every single IP option is in the trusted list, return the IP
         # that's furthest away
@@ -173,7 +173,7 @@ module ActionDispatch
         return [] unless header
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
-        ips.select do |ip|
+        ips.select! do |ip|
           # Only return IPs that are valid according to the IPAddr#new method.
           range = IPAddr.new(ip).to_range
           # We want to make sure nobody is sneaking a netmask in.
@@ -181,6 +181,7 @@ module ActionDispatch
         rescue ArgumentError
           nil
         end
+        ips
       end
 
       def filter_proxies(ips) # :doc: