2.1] Rev 1568: Improved identification of remote clients coming via a proxy server.

noreply Tue, 23 Jun 2015 12:55:09 -0700

Merge authors:
  jimpop (jimpop)
------------------------------------------------------------
revno: 1568 [merge]
committer: Mark Sapiro <[email protected]>
branch nick: 2.1
timestamp: Tue 2015-06-23 12:53:50 -0700
message:
  Improved identification of remote clients coming via a proxy server.
modified:
  Mailman/Cgi/listinfo.py
  Mailman/Cgi/options.py
  Mailman/Cgi/subscribe.py
  Mailman/Utils.py
  NEWS



--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py	2015-04-24 00:42:33 +0000
+++ Mailman/Cgi/listinfo.py	2015-06-23 19:53:50 +0000
@@ -187,9 +187,10 @@
         'subscribe')
     if mm_cfg.SUBSCRIBE_FORM_SECRET:
         now = str(int(time.time()))
-        remote = os.environ.get('REMOTE_HOST',
-                                os.environ.get('REMOTE_ADDR',
-                                               'w.x.y.z'))
+        remote = os.environ.get('HTTP_FORWARDED_FOR',
+                 os.environ.get('HTTP_X_FORWARDED_FOR',
+                 os.environ.get('REMOTE_ADDR',
+                                'w.x.y.z')))
         # Try to accept a range in case of load balancers, etc.  (LP: #1447445)
         if remote.find('.') >= 0:
             # ipv4 - drop last octet

=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2015-01-23 00:09:03 +0000
+++ Mailman/Cgi/options.py	2015-06-23 13:40:09 +0000
@@ -193,7 +193,10 @@
                     mlist.HoldUnsubscription(user)
                     doc.addError(msga, tag='')
                 else:
-                    ip = os.environ.get('REMOTE_ADDR')
+                    ip = os.environ.get('HTTP_FORWARDED_FOR',
+                         os.environ.get('HTTP_X_FORWARDED_FOR',
+                         os.environ.get('REMOTE_ADDR',
+                                        'unidentified origin')))
                     mlist.ConfirmUnsubscription(user, userlang, remote=ip)
                     doc.addError(msgc, tag='')
                 mlist.Save()
@@ -264,9 +267,13 @@
             # So as not to allow membership leakage, prompt for the email
             # address and the password here.
             if mlist.private_roster <> 0:
+                remote = os.environ.get('HTTP_FORWARDED_FOR',
+                         os.environ.get('HTTP_X_FORWARDED_FOR',
+                         os.environ.get('REMOTE_ADDR',
+                                        'unidentified origin')))
                 syslog('mischief',
-                       'Login failure with private rosters: %s',
-                       user)
+                       'Login failure with private rosters: %s from %s',
+                       user, remote)
                 user = None
             # give an HTTP 401 for authentication failure
             print 'Status: 401 Unauthorized'

=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py	2015-04-24 00:42:33 +0000
+++ Mailman/Cgi/subscribe.py	2015-06-23 13:40:09 +0000
@@ -118,9 +118,10 @@
     # Canonicalize the full name
     fullname = Utils.canonstr(fullname, lang)
     # Who was doing the subscribing?
-    remote = os.environ.get('REMOTE_HOST',
-                            os.environ.get('REMOTE_ADDR',
-                                           'unidentified origin'))
+    remote = os.environ.get('HTTP_FORWARDED_FOR',
+             os.environ.get('HTTP_X_FORWARDED_FOR',
+             os.environ.get('REMOTE_ADDR',
+                            'unidentified origin')))
     # Are we checking the hidden data?
     if mm_cfg.SUBSCRIBE_FORM_SECRET:
         now = int(time.time())

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2015-05-01 16:14:08 +0000
+++ Mailman/Utils.py	2015-06-23 19:53:50 +0000
@@ -262,7 +262,14 @@
     if path:
         if CRNLpat.search(path):
             path = CRNLpat.split(path)[0]
-            syslog('error', 'Warning: Possible malformed path attack.')
+            remote = os.environ.get('HTTP_FORWARDED_FOR',
+                     os.environ.get('HTTP_X_FORWARDED_FOR',
+                     os.environ.get('REMOTE_ADDR',
+                                    'unidentified origin')))
+            syslog('error',
+                'Warning: Possible malformed path attack domain=%s remote=%s',
+                   get_domain(),
+                   remote)
         return [p for p in path.split('/') if p]
     return None
 

=== modified file 'NEWS'
--- NEWS	2015-06-08 05:41:05 +0000
+++ NEWS	2015-06-23 19:53:50 +0000
@@ -14,6 +14,10 @@
 
   Bug fixes and other patches
 
+    - Improved identification of remote clients for logging and subscribe
+      form checking in cases where access is via a proxy server.  Thanks to
+      Jim Popovitch.
+
     - Fixed an issue with shunted messages on a list where the charset for
       the list's preferred_language had been changed from iso-8859-1 to
       utf-8 without recoding the list's description.  (LP: #1462755)

_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1568: Improved identification of remote clients coming via a proxy server.

Reply via email to