Hi there,

There doesn't appear to be a way to get the client's IP address from the
request. Zope 2 has a getClientAddr() on the request object that uses
_client_addr, which gets created like this:

if environ.has_key('REMOTE_ADDR'):
    self._client_addr = environ['REMOTE_ADDR']
    if (environ.has_key('HTTP_X_FORWARDED_FOR') and
        self._client_addr in trusted_proxies):
        # REMOTE_ADDR is one of our trusted local proxies. Not
        # really very remote at all.
        # The proxy can tell us the IP of the real remote client in
        # the forwarded-for header
        self._client_addr = environ[
        self._client_addr = ''

# The trusted_proxies configuration setting contains a sequence
# of front-end proxies that are trusted to supply an accurate
# X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in
# this list and it has set an X_FORWARDED_FOR header, ZPublisher
# copies REMOTE_ADDR into X_FORWARDED_BY, and the last element of
# left unchanged. The ZConfig machinery may sets this attribute
# on initialization if any trusted-proxies are defined in the
# configuration file.

trusted_proxies = []

Would it be valuable to have equivalent machinery in Zope 3? I would
like to retrieve the IP address and it'd be nice if it worked with proxies.

Porting this code to Zope 3 sounds possible. Some problems:

* 'HTTP_X_FORWARDED_FOR' is not seen as something that ends up in
  environ, as it's not considered to be a valid cgi name by
  zope.publisher.browser. Where would it end up? In headers?

* There's no zconf setting in Zope 3 that I'm aware of to configure

* there's a comment that cookie data is accessed before environ data.
  Does this mean a cookie could be crafted to fake REMOTE_ADDR?


Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to