fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as the source IP address.

product/ERP5/bin/zopewsgi.py

@@ -139,7 +139,8 @@ def createServer(application, logger, **kw):
     server = create_server(
         TransLogger(application, logger=logger),
         trusted_proxy='*',
-        trusted_proxy_headers=('x-forwarded-for',),
+        # We handle X-Forwarded-For by ourselves. See ERP5Type/patches/WSGITask.py.
+        # trusted_proxy_headers=('x-forwarded-for',),
         clear_untrusted_proxy_headers=True,
         **kw
     )

product/ERP5Type/ZopePatch.py

@@ -90,6 +90,7 @@ from Products.ERP5Type.patches import ZSQLMethod
 from Products.ERP5Type.patches import MimetypesRegistry
 from Products.ERP5Type.patches import users
 from Products.ERP5Type.patches import Publish
+from Products.ERP5Type.patches import WSGITask
 
 # These symbols are required for backward compatibility
 from Products.ERP5Type.patches.PropertyManager import ERP5PropertyManager

product/ERP5Type/patches/WSGITask.py

+# -*- coding: utf-8 -*-
+
+import ZPublisher.HTTPRequest
+from waitress.task import WSGITask
+
+WSGITask_parse_proxy_headers = WSGITask.parse_proxy_headers
+
+def parse_proxy_headers(
+  self,
+  environ,
+  headers,
+  trusted_proxy_count=1,
+  trusted_proxy_headers=None,
+):
+  if ZPublisher.HTTPRequest.trusted_proxies == ('0.0.0.0',): # Magic value to enable this functionality
+    # Frontend-facing proxy is responsible for sanitising
+    # X_FORWARDED_FOR, and only trusted accesses should bypass
+    # that proxy. So trust first entry.
+    forwarded_for = headers.get('X_FORWARDED_FOR', '').split(',', 1)[0].strip()
+  else:
+    forwarded_for = None
+
+  untrusted_headers = WSGITask_parse_proxy_headers(
+    self,
+    environ=environ,
+    headers=headers,
+    trusted_proxy_count=trusted_proxy_count,
+    trusted_proxy_headers=trusted_proxy_headers,
+  )
+
+  if forwarded_for:
+    environ['REMOTE_ADDR'] = forwarded_for
+
+  return untrusted_headers
+
+WSGITask.parse_proxy_headers = parse_proxy_headers
+