[Zope-Checkins] CVS: Zope/lib/python/ZPublisher - HTTPRequest.py:1.81.2.2.6.1

Toby Dickenson tdickenson@geminidataloggers.com
Wed, 23 Oct 2002 10:59:33 -0400 

Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv2269/lib/python/ZPublisher

Modified Files:
      Tag: toby-http-forwarded-for-branch
	HTTPRequest.py 
Log Message:
Implementation of the HTTP_X_FORWARDED_FOR and REMOTE_ADDR change which wasnt ready in time for 2.6. This branch is epxected to be merged with the trunk before  2.7. It will not go into 2.6.x

=== Zope/lib/python/ZPublisher/HTTPRequest.py 1.81.2.2 => 1.81.2.2.6.1 ===
--- Zope/lib/python/ZPublisher/HTTPRequest.py:1.81.2.2	Fri Sep 27 13:34:39 2002
+++ Zope/lib/python/ZPublisher/HTTPRequest.py	Wed Oct 23 10:59:32 2002
@@ -59,6 +59,7 @@
 tainting_env = str(os.environ.get('ZOPE_DTML_REQUEST_AUTOQUOTE', '')).lower()
 TAINTING_ENABLED  = tainting_env not in ('disabled', '0', 'no')
 
+
 _marker=[]
 class HTTPRequest(BaseRequest):
     """\
@@ -252,6 +253,13 @@
         self._steps=[]
         self._lazies={}
 
+        if environ.has_key('HTTP_X_FORWARDED_FOR') and environ.has_key('REMOTE_ADDR'):
+            if environ['REMOTE_ADDR'] in trusted_proxies:
+                # REMOTE_ADDR is one of our trusted local proxies. Not really very remote at all.
+                # The proxy can tell us the IP of the real remote client in the forwarded-for header
+                environ['HTTP_X_FORWARDED_BY'] = environ['REMOTE_ADDR']
+                environ['REMOTE_ADDR'] = environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip()
+
         ################################################################
         # Get base info first. This isn't likely to cause
         # errors and might be useful to error handlers.
@@ -1490,3 +1498,20 @@
 REC=RECORD|RECORDS
 EMPTY=16
 CONVERTED=32
+
+
+# The ZOPE_TRUSTED_PROXIES environment variable contains a colon separated 
+# list of front-end proxies that are trusted to supply an accurate
+# X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in this list
+# and it has set an X_FORWARDED_FOR header, ZPublisher copies REMOTE_ADDR
+# into X_FORWARDED_BY, and the last element of the X_FORWARDED_FOR list
+# into REMOTE_ADDR. X_FORWARDED_FOR is left unchanged.
+# This function parses the environment variable into a module variable
+# 
+def trusted_proxies():
+    proxies = os.environ.get('ZOPE_TRUSTED_PROXIES','')
+    proxies = proxies.split(':')
+    proxies = [p.strip() for p in proxies]
+    return tuple(proxies)
+trusted_proxies = trusted_proxies()
+