This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "snap-core".
The branch, master has been updated
via eba3be26bf644cd51266bea3cd99bbefc85d3717 (commit)
from 951b20a280150164ee615b07f71e4f8e82dbaab9 (commit)
Summary of changes:
src/Snap/Internal/Types.hs | 27 +++++++++++++++++++++++++--
1 files changed, 25 insertions(+), 2 deletions(-)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit eba3be26bf644cd51266bea3cd99bbefc85d3717
Author: Carl Howells <[email protected]>
Date: Thu Jun 17 23:15:04 2010 -0700
Correct functionality in ipHeaderFilter, and improve documentation
diff --git a/src/Snap/Internal/Types.hs b/src/Snap/Internal/Types.hs
index 39cbd83..bcf3931 100644
--- a/src/Snap/Internal/Types.hs
+++ b/src/Snap/Internal/Types.hs
@@ -461,8 +461,17 @@ withResponse = (getResponse >>=)
------------------------------------------------------------------------------
-- | Modifies the 'Request' in the state to set the 'rqRemoteAddr'
--- field to the value in the X-Forwarded-For header. If the header is
+-- field to the value in the X-Forwarded-For header. If the header is
-- not present, this action has no effect.
+--
+-- This action should be used only when working behind a reverse http
+-- proxy that sets the X-Forwarded-For header. This is the only way to
+-- ensure the value in the X-Forwarded-For header can be trusted.
+--
+-- This is provided as a filter so actions that require the remote
+-- address can get it in a uniform manner. It has specifically limited
+-- functionality to ensure that its transformation can be trusted,
+-- when used correctly.
ipHeaderFilter :: Snap ()
ipHeaderFilter = ipHeaderFilter' "x-forwarded-for"
@@ -471,11 +480,25 @@ ipHeaderFilter = ipHeaderFilter' "x-forwarded-for"
-- | Modifies the 'Request' in the state to set the 'rqRemoteAddr'
-- field to the value from the header specified. If the header
-- specified is not present, this action has no effect.
+--
+-- This action should be used only when working behind a reverse http
+-- proxy that sets the header being looked at. This is the only way to
+-- ensure the value in the header can be trusted.
+--
+-- This is provided as a filter so actions that require the remote
+-- address can get it in a uniform manner. It has specifically limited
+-- functionality to ensure that its transformation can be trusted,
+-- when used correctly.
ipHeaderFilter' :: CIB.CIByteString -> Snap ()
ipHeaderFilter' header = do
headerContents <- getHeader header <$> getRequest
- let setIP ip = modifyRequest $ \rq -> rq { rqRemoteAddr = ip }
+ let whitespace = " \t\r\n"
+ ipChrs = ".0123456789"
+ trim f s = f (`elem` s)
+
+ clean = trim S.takeWhile ipChrs . trim S.dropWhile whitespace
+ setIP ip = modifyRequest $ \rq -> rq { rqRemoteAddr = clean ip }
maybe (return ()) setIP headerContents
-----------------------------------------------------------------------
hooks/post-receive
--
snap-core
_______________________________________________
Snap mailing list
[email protected]
http://mailman-mail5.webfaction.com/listinfo/snap
