On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <[EMAIL PROTECTED]> wrote:
>2. If we want to get fancy about allowing authentication using that ip >address like naked ZServers can do, >to > >if request.has_key('HTTP_X_FORWARDED_FOR'): > addr=request['HTTP_X_FORWARDED_FOR'] > elif request.has_key('REMOTE_ADDR'): > addr=request['REMOTE_ADDR'] There are lots of things that use REMOTE_ADDR, and I guess they should *all* use the proxy supplied address rather than the address of the proxy. It makes sense to me that we should *replace* REMOTE_ADDR with HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a X_FORWARDED_BY) Have you considered this approach? On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <[EMAIL PROTECTED]> wrote: >Correct me if I'm wrong, but this IMO makes spoofing against a naked >ZServer a childs play. Thats correct for a naked ZServer, or if behind a proxy which does not sanitize the X-FORWARDED-FOR header. However it is safe if the request comes from the right kind of proxy. I think we need a new command line option to specify a list of IP addresses which are trusted to run 'the right kind of proxy'. Zope should only trust the X-FORWARDED-FOR header if the remote address is one of its trusted proxies. Pseudocode for handling this would be: if request['REMOTE_ADDR'] in our_trusted_front_end_proxies: request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR'] request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR'] Toby Dickenson [EMAIL PROTECTED] _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )