From 7f0e9065d02c9b91be60a5bd14c945d51f9419ea Mon Sep 17 00:00:00 2001
From: Arnaud Joubay <jub@sowenga.net>
Date: Wed, 9 Sep 2015 11:11:26 +0200
Subject: [PATCH] Fix #906 - Use different memoization variables for
 request.location/safe_location

safe_location and location should not rely on the same variable,
otherwise calling one before the other will yield unexpected results
and could even cause a security risk if location is called before
safe_location
---
 lib/geocoder/request.rb   |  2 +-
 test/unit/request_test.rb | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/geocoder/request.rb b/lib/geocoder/request.rb
index 3673bec4..2b924bd3 100644
--- a/lib/geocoder/request.rb
+++ b/lib/geocoder/request.rb
@@ -17,7 +17,7 @@ module Geocoder
     #   corresponding to the original client IP for any request sent
     #   through a non-whitelisted proxy.
     def safe_location
-      @location ||= Geocoder.search(ip, ip_address: true).first
+      @safe_location ||= Geocoder.search(ip, ip_address: true).first
     end
 
     # There's a whole zoo of nonstandard headers added by various
diff --git a/test/unit/request_test.rb b/test/unit/request_test.rb
index 1622ddd6..f44df348 100644
--- a/test/unit/request_test.rb
+++ b/test/unit/request_test.rb
@@ -56,4 +56,14 @@ class RequestTest < GeocoderTestCase
     req = MockRequest.new({"HTTP_X_FORWARDED_FOR" => "Albequerque NM"})
     assert req.location.is_a?(Geocoder::Result::Freegeoip)
   end
+  def test_safe_location_after_location
+    req = MockRequest.new({"HTTP_X_REAL_IP" => "74.200.247.59"}, "127.0.0.1")
+    assert_equal 'US', req.location.country_code
+    assert_equal 'RD', req.safe_location.country_code
+  end
+  def test_location_after_safe_location
+    req = MockRequest.new({'HTTP_X_REAL_IP' => '74.200.247.59'}, '127.0.0.1')
+    assert_equal 'RD', req.safe_location.country_code
+    assert_equal 'US', req.location.country_code
+  end
 end
-- 
GitLab