On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <[EMAIL PROTECTED]>

>2.  If we want to get fancy about allowing authentication using that ip 
>address like naked ZServers can do,

>if request.has_key('HTTP_X_FORWARDED_FOR'):
>       addr=request['HTTP_X_FORWARDED_FOR']
>    elif request.has_key('REMOTE_ADDR'):
>       addr=request['REMOTE_ADDR']

There are lots of things that use REMOTE_ADDR, and I guess they should
*all* use the proxy supplied address rather than the address of the
proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a

Have you considered this approach?

On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <[EMAIL PROTECTED]>

>Correct me if I'm wrong, but this IMO makes spoofing against a naked 
>ZServer a childs play.

Thats correct for a naked ZServer, or if behind a proxy which does not
sanitize the X-FORWARDED-FOR header. However it is safe if the request
comes from the right kind of proxy.

I think we need a new command line option to specify a list of IP
addresses which are trusted to run 'the right kind of proxy'. Zope
should only trust the X-FORWARDED-FOR header if the remote address is
one of its trusted proxies.

Pseudocode for handling this would be:

if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
    request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR']
    request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR']

Toby Dickenson

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to