Jim Washington wrote:
2. If we want to get fancy about allowing authentication using that ip address like naked ZServers can do,
In lib/python/AccessControl/User.py, around line 1116, change
if request.has_key('REMOTE_ADDR'): addr=request['REMOTE_ADDR']
to
if request.has_key('HTTP_X_FORWARDED_FOR'): addr=request['HTTP_X_FORWARDED_FOR'] elif request.has_key('REMOTE_ADDR'): addr=request['REMOTE_ADDR']
I do not believe this does anything to authentication that is not possible now regarding spoofed ip addresses, so probably not a major security headache.
Correct me if I'm wrong, but this IMO makes spoofing against a naked ZServer a childs play. It's just adding a custom header to the request. I also doubt that every reverse proxy overwrites this header, so zservers behind a proxy might also be hit. TCP spoofing OTOH is far more complicated, if (does it?) zope turns off the source routing option when replying, if present. IMO something like cracking a router or predicting sequence numbers is another level from adding a custom http-header. cheers, oliver