Commit ed8b8062 authored by Martijn Pieters's avatar Martijn Pieters

Collector #2321: skip trusted proxies when extracting the client ip from X-Forwarded-For

parent 54109450
...@@ -8,6 +8,9 @@ Zope Changes ...@@ -8,6 +8,9 @@ Zope Changes
Bugs fixed Bugs fixed
- Collector #2321: Skip trusted proxies when extracting the client IP
address from the request.
- Collector #2318: Allow override of zopectl's control socket in - Collector #2318: Allow override of zopectl's control socket in
zope.conf zope.conf
......
...@@ -269,7 +269,15 @@ class HTTPRequest(BaseRequest): ...@@ -269,7 +269,15 @@ class HTTPRequest(BaseRequest):
if environ.has_key('HTTP_X_FORWARDED_FOR') and self._client_addr in trusted_proxies: if environ.has_key('HTTP_X_FORWARDED_FOR') and self._client_addr in trusted_proxies:
# REMOTE_ADDR is one of our trusted local proxies. Not really very remote at all. # REMOTE_ADDR is one of our trusted local proxies. Not really very remote at all.
# The proxy can tell us the IP of the real remote client in the forwarded-for header # The proxy can tell us the IP of the real remote client in the forwarded-for header
self._client_addr = environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip() # Skip the proxy-address itself though
forwarded_for = [
e.strip()
for e in environ['HTTP_X_FORWARDED_FOR'].split(',')]
forwarded_for.reverse()
for entry in forwarded_for:
if entry not in trusted_proxies:
self._client_addr = entry
break
else: else:
self._client_addr = '' self._client_addr = ''
......
...@@ -702,6 +702,38 @@ class RequestTests( unittest.TestCase ): ...@@ -702,6 +702,38 @@ class RequestTests( unittest.TestCase ):
self.assertEqual(f.xreadlines(),f) self.assertEqual(f.xreadlines(),f)
def testTrustedProxies(self):
TEST_ENVIRON = {
'REQUEST_METHOD': 'GET',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '80',
'REMOTE_ADDR': '127.0.0.1',
'HTTP_X_FORWARDED_FOR': '10.1.20.30, 192.168.1.100',
}
from StringIO import StringIO
from ZPublisher.HTTPRequest import HTTPRequest, trusted_proxies
s = StringIO('')
env = TEST_ENVIRON.copy()
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '127.0.0.1')
trusted_proxies.append('127.0.0.1')
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '192.168.1.100')
trusted_proxies[0] = '192.168.1.100'
env = TEST_ENVIRON.copy()
env['REMOTE_ADDR'] = '192.168.1.100'
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '10.1.20.30')
env = TEST_ENVIRON.copy()
del env['REMOTE_ADDR']
request = HTTPRequest(s, env, None)
self.assertEqual(request.getClientAddr(), '')
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test')) suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test'))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment