From 13d096c6886455ce0150e97877ced9c3f16d1751 Mon Sep 17 00:00:00 2001
From: Jacques Distler <distler@golem.ph.utexas.edu>
Date: Thu, 5 Mar 2009 12:14:03 -0600
Subject: [PATCH] Set X-Sendfile Header Only for Local Proxy Requests

If the request.remote_addr is not LOCALHOST, don't set the
X-Sendfile header.
---
 app/controllers/application_controller.rb |  2 +-
 test/functional/file_controller_test.rb   | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index aa4cadd1..847af96b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -85,7 +85,7 @@ class ApplicationController < ActionController::Base
     original_options[:type] ||= (FILE_TYPES[File.extname(file_name)] or 'application/octet-stream')
     original_options[:disposition] ||= (DISPOSITION[original_options[:type]] or 'attachment')
     original_options[:stream] ||= false
-    original_options[:x_sendfile] = true if request.env.include?('HTTP_X_SENDFILE_TYPE')
+    original_options[:x_sendfile] = true if request.env.include?('HTTP_X_SENDFILE_TYPE') && request.remote_addr == LOCALHOST
     original_options
   end
   
diff --git a/test/functional/file_controller_test.rb b/test/functional/file_controller_test.rb
index f3696059..add7c0c8 100755
--- a/test/functional/file_controller_test.rb
+++ b/test/functional/file_controller_test.rb
@@ -85,6 +85,7 @@ class FileControllerTest < ActionController::TestCase
     pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
     @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
     @request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
+    @request.remote_addr = '127.0.0.1'
     r = get :file, :web => 'wiki1', :id => 'rails.gif'
     
     assert_response(:success, bypass_body_parsing = true)
@@ -93,6 +94,19 @@ class FileControllerTest < ActionController::TestCase
     assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
   end
   
+  def test_pic_x_sendfile_type_nonlocal
+    pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
+    @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
+    @request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
+    r = get :file, :web => 'wiki1', :id => 'rails.gif'
+    
+    assert_response(:success, bypass_body_parsing = true)
+    assert_equal 'image/gif', r.headers['Content-Type']
+    assert_equal pic.size, r.body.size
+    assert_equal pic, r.body
+    assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
+  end
+
   def test_pic_unknown_pic
     r = get :file, :web => 'wiki1', :id => 'non-existant.gif'