Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3187 to
the following vulnerability:
Reference: FULLDISC:20110216 Ruby on Rails Vulnerability
The to_s method in
actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on
Rails 3.0.5 does not validate the X-Forwarded-For header in requests
from IP addresses on a Class C network, which might allow remote
attackers to inject arbitrary text into log files or bypass intended
address parsing via a crafted header.
I've asked upstream whether or not they are aware of this flaw, and whether or not it has been fixed and/or if they have further details.
Upstream replied as follows:
We've seen this one reported a few times, it's just not a security issue from
The value in question is user-provided, just like request.content_type or
request.user_agent, and isn't documented as being safe to use unescaped in
will escape that value (just like any other one that's user provided). We've
heard of no apps being compromised, seen no attack vectors that exploit this in
a way we hadn't considered.
We're just tracking it as a bug rather than a security bug.
In light of the above, I am going to close this as NOTABUG; future Fedora releases will obtain the fix when upstream fixes this as a bug.