fixup! fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as...

fixup! fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as the source IP address.

fixup! fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as...
fixup! fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as the source IP address.
35c0e1e7 · Kazuhiko Shiozaki · 2c484ab3 · 35c0e1e7 · 35c0e1e7
Commit 35c0e1e7 authored Jun 26, 2020 by Kazuhiko Shiozaki
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 21 deletions

product/ERP5/bin/zopewsgi.py product/ERP5/bin/zopewsgi.py +1 -1

product/ERP5Type/patches/WSGITask.py product/ERP5Type/patches/WSGITask.py +7 -20

No files found.
--- a/product/ERP5/bin/zopewsgi.py
+++ b/product/ERP5/bin/zopewsgi.py
@@ -138,8 +138,8 @@ def createServer(application, logger, **kw):
    global server
    server = create_server(
        TransLogger(application, logger=logger),
-        trusted_proxy='*',
        # We handle X-Forwarded-For by ourselves. See ERP5Type/patches/WSGITask.py.
+        # trusted_proxy='*',
        # trusted_proxy_headers=('x-forwarded-for',),
        clear_untrusted_proxy_headers=True,
        **kw

--- a/product/ERP5Type/patches/WSGITask.py
+++ b/product/ERP5Type/patches/WSGITask.py
@@ -3,35 +3,22 @@
 import ZPublisher.HTTPRequest
 from waitress.task import WSGITask

-WSGITask_parse_proxy_headers = WSGITask.parse_proxy_headers
+WSGITask_get_environment = WSGITask.get_environment

-def parse_proxy_headers(
-  self,
-  environ,
-  headers,
-  trusted_proxy_count=1,
-  trusted_proxy_headers=None,
-):
+def get_environment(self):
  if ZPublisher.HTTPRequest.trusted_proxies == ('0.0.0.0',): # Magic value to enable this functionality
    # Frontend-facing proxy is responsible for sanitising
    # X_FORWARDED_FOR, and only trusted accesses should bypass
    # that proxy. So trust first entry.
-    forwarded_for = headers.get('X_FORWARDED_FOR', '').split(',', 1)[0].strip()
+    forwarded_for = dict(self.request.headers).get('X_FORWARDED_FOR', '').split(',', 1)[0].strip()
  else:
    forwarded_for = None

-  untrusted_headers = WSGITask_parse_proxy_headers(
-    self,
-    environ=environ,
-    headers=headers,
-    trusted_proxy_count=trusted_proxy_count,
-    trusted_proxy_headers=trusted_proxy_headers,
-  )
+  environ = WSGITask_get_environment(self)

  if forwarded_for:
-    environ['REMOTE_ADDR'] = forwarded_for
+    environ['REMOTE_HOST'] = environ['REMOTE_ADDR'] = forwarded_for

-  return untrusted_headers
-
-WSGITask.parse_proxy_headers = parse_proxy_headers
+  return environ

+WSGITask.get_environment = get_environment