Commit 6f3b6501 authored by Martijn Pieters's avatar Martijn Pieters

Collector #2321: skip trusted proxies when extracting the client ip from X-Forwarded-For

parent e62d3eae
......@@ -272,7 +272,15 @@ class HTTPRequest(BaseRequest):
if environ.has_key('HTTP_X_FORWARDED_FOR') and self._client_addr in trusted_proxies:
# REMOTE_ADDR is one of our trusted local proxies. Not really very remote at all.
# The proxy can tell us the IP of the real remote client in the forwarded-for header
self._client_addr = environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip()
# Skip the proxy-address itself though
forwarded_for = [
e.strip()
for e in environ['HTTP_X_FORWARDED_FOR'].split(',')]
forwarded_for.reverse()
for entry in forwarded_for:
if entry not in trusted_proxies:
self._client_addr = entry
break
else:
self._client_addr = ''
......
......@@ -759,6 +759,38 @@ class RequestTests( unittest.TestCase ):
request = HTTPRequest(s, env, None)
self.assertEqual(request.method, 'POST')
def testTrustedProxies(self):
TEST_ENVIRON = {
'REQUEST_METHOD': 'GET',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '80',
'REMOTE_ADDR': '127.0.0.1',
'HTTP_X_FORWARDED_FOR': '10.1.20.30, 192.168.1.100',
}
from StringIO import StringIO
from ZPublisher.HTTPRequest import HTTPRequest, trusted_proxies
s = StringIO('')
env = TEST_ENVIRON.copy()
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '127.0.0.1')
trusted_proxies.append('127.0.0.1')
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '192.168.1.100')
trusted_proxies[0] = '192.168.1.100'
env = TEST_ENVIRON.copy()
env['REMOTE_ADDR'] = '192.168.1.100'
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '10.1.20.30')
env = TEST_ENVIRON.copy()
del env['REMOTE_ADDR']
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '')
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(AuthCredentialsTests, 'test'))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment