Don't allow IP source to be set via X-Real-IP unless we're behind a load balancer. #30

2014-11-16 13:45:20 -08:00
parent 33315c6050
commit a45b675976
2 changed files with 11 additions and 1 deletions
--- a/server/app.js
+++ b/server/app.js
@@ -89,7 +89,11 @@ function textRequestHandler(req, res, number, region, key) {
    res.send({success:false,message:'Sorry, texts to this number are disabled.'});
    return;
  }
-  var ip = req.header('X-Real-IP') || req.connection.remoteAddress;
+
+  var ip = req.connection.remoteAddress;
+  if (!ip || ip === '127.0.0.1') {
+    ip = req.header('X-Real-IP');
+  }

  var message = req.body.message;
  if (message.indexOf(':') > -1) {