Jim Washington wrote:
> 2. If we want to get fancy about allowing authentication using that ip > address like naked ZServers can do, > > In lib/python/AccessControl/User.py, around line 1116, > change > > if request.has_key('REMOTE_ADDR'): > addr=request['REMOTE_ADDR'] > > to > > if request.has_key('HTTP_X_FORWARDED_FOR'): > addr=request['HTTP_X_FORWARDED_FOR'] > elif request.has_key('REMOTE_ADDR'): > addr=request['REMOTE_ADDR'] > > I do not believe this does anything to authentication that is not > possible now regarding spoofed ip addresses, so probably not a major > security headache. Correct me if I'm wrong, but this IMO makes spoofing against a naked ZServer a childs play. It's just adding a custom header to the request. I also doubt that every reverse proxy overwrites this header, so zservers behind a proxy might also be hit. TCP spoofing OTOH is far more complicated, if (does it?) zope turns off the source routing option when replying, if present. IMO something like cracking a router or predicting sequence numbers is another level from adding a custom http-header. cheers, oliver _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )