From d46798dd081309a012960dc88cd39ef407171252 Mon Sep 17 00:00:00 2001
From: Jacques Distler <distler@golem.ph.utexas.edu>
Date: Fri, 14 Mar 2008 10:50:06 -0500
Subject: [PATCH] Security: Sanitize Remote IP address

Dunno quite how, but evidently, request.ip is manipulable. Make sure it consists of a dotted-quad.
Also, correct a typo from the previous revision.
---
 app/controllers/wiki_controller.rb | 2 +-
 app/models/page.rb                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
index de27e92d..d466e9d4 100644
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@@ -412,7 +412,7 @@ class WikiController < ApplicationController
   def remote_ip
     ip = request.remote_ip
     logger.info(ip)
-    ip
+    ip.gsub!(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/, '\1')
   end
 
   def render_atom(hide_description = false, limit = 15)
diff --git a/app/models/page.rb b/app/models/page.rb
index 2c9d09ce..26d4223e 100644
--- a/app/models/page.rb
+++ b/app/models/page.rb
@@ -77,7 +77,7 @@ class Page < ActiveRecord::Base
 
   # Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page".
   def plain_name
-    web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapHTML(WikiWords.separate(name))
+    web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapeHTML(WikiWords.separate(name))
   end
 
   LOCKING_PERIOD = 30.minutes