Jim Washington wrote:
> 2. If we want to get fancy about allowing authentication using that ip
> address like naked ZServers can do,
>
> In lib/python/AccessControl/User.py, around line 1116,
> change
>
> if request.has_key('REMOTE_ADDR'):
> addr=request['REMOTE_ADDR']
>
> to
>
> if request.has_key('HTTP_X_FORWARDED_FOR'):
> addr=request['HTTP_X_FORWARDED_FOR']
> elif request.has_key('REMOTE_ADDR'):
> addr=request['REMOTE_ADDR']
>
> I do not believe this does anything to authentication that is not
> possible now regarding spoofed ip addresses, so probably not a major
> security headache.
Correct me if I'm wrong, but this IMO makes spoofing against a naked
ZServer a childs play. It's just adding a custom header to the request.
I also doubt that every reverse proxy overwrites this header, so
zservers behind a proxy might also be hit.
TCP spoofing OTOH is far more complicated, if (does it?) zope turns off
the source routing option when replying, if present. IMO something like
cracking a router or predicting sequence numbers is another level from
adding a custom http-header.
cheers,
oliver
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
