Jim Washington wrote:

> 2.  If we want to get fancy about allowing authentication using that ip 
> address like naked ZServers can do,
> 
> In lib/python/AccessControl/User.py, around line 1116,
> change
> 
>    if request.has_key('REMOTE_ADDR'):
>       addr=request['REMOTE_ADDR']
> 
> to
> 
> if request.has_key('HTTP_X_FORWARDED_FOR'):
>       addr=request['HTTP_X_FORWARDED_FOR']
>    elif request.has_key('REMOTE_ADDR'):
>       addr=request['REMOTE_ADDR']
> 
> I do not believe this does anything to authentication that is not 
> possible now regarding spoofed ip addresses, so probably not a major 
> security headache.

Correct me if I'm wrong, but this IMO makes spoofing against a naked 
ZServer a childs play. It's just adding a custom header to the request.
I also doubt that every reverse proxy overwrites this header, so 
zservers behind a proxy might also be hit.

TCP spoofing OTOH is far more complicated, if (does it?) zope turns off 
the source routing option when replying, if present. IMO something like 
cracking a router or predicting sequence numbers is another level from 
adding a custom http-header.


cheers,
oliver



_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to