From 0635284834f18601e868c96244bc61702eade310 Mon Sep 17 00:00:00 2001
From: David Wilemski <david@davidwilemski.com>
Date: Sat, 17 Dec 2011 14:45:59 -0500
Subject: [PATCH] Fix for bug #392

Validates the remote_ip from xheaders using socket.inet_pton
---
 tornado/httpserver.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tornado/httpserver.py b/tornado/httpserver.py
index 74f1a8acf..13580159b 100644
--- a/tornado/httpserver.py
+++ b/tornado/httpserver.py
@@ -362,6 +362,8 @@ class HTTPRequest(object):
             # Squid uses X-Forwarded-For, others use X-Real-Ip
             self.remote_ip = self.headers.get(
                 "X-Real-Ip", self.headers.get("X-Forwarded-For", remote_ip))
+            if not self.__valid_ip(self.remote_ip):
+                self.remote_ip = remote_ip
             # AWS uses X-Forwarded-Proto
             self.protocol = self.headers.get(
                 "X-Scheme", self.headers.get("X-Forwarded-Proto", protocol))
@@ -457,3 +459,14 @@ class HTTPRequest(object):
         args = ", ".join(["%s=%r" % (n, getattr(self, n)) for n in attrs])
         return "%s(%s, headers=%s)" % (
             self.__class__.__name__, args, dict(self.headers))
+
+    def __valid_ip(self, ip):
+        try:
+            address = socket.inet_pton(socket.AF_INET, ip)
+        except socket.error:
+            try:
+                address = socket.inet_pton(socket.AF_INET6, ip)
+            except socket.error:
+                return False
+
+        return True
-- 
2.47.2