github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 20:41:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Fix is_private_ip for RateLimiter to cover all cases (#12464)

Browse Source 
The regular expression to detect private IP addresses did not always detect them successfully.
Changed to use ruby's in-built IPAddr.new(ip_address).private? method instead
which does the same thing but covers all cases.
This commit is contained in:
Martin Brennan
2021-03-22 13:56:32 +10:00
committed by GitHub
parent 9526c1a27b
commit 6eb0d0c38d
2 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/middleware/request_tracker.rb
View File

@ -215,11 +215,9 @@ class Middleware::RequestTracker
log_request_info(env, result, info) unless !log_request || env["discourse.request_tracker.skip"]
end
PRIVATE_IP ||= /^(127\.)|(192\.168\.)|(10\.)|(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)|(::1$)|([fF][cCdD])/
def is_private_ip?(ip)
ip = IPAddr.new(ip) rescue nil
!!(ip && ip.to_s.match?(PRIVATE_IP))
!!(ip && (ip.private? || ip.loopback?))
end
def rate_limit(request)