[Zope-dev] Patch acceptance. What about this one?
Adam Manock
abmanock@earthlink.net
Fri, 28 Dec 2001 08:16:58 -0500
> > > Just to be safe ... You shouldn't use this entire patch unless your
> > > server is behind apache or a proxy server and best if protected by a
> > > firewall. It could open a potential security leak if you use the
> > > "domains" field for authentication and the zope server is not
> > > protected by apache.
> >
> > Is the issue that the X-Forwarded-For header controls the domain setting?
> >
>
>yes ... everyone should probably not use this patch
>right-out-of-the-box.
Thanks guys!
My apologies if I kicked the ball a little harder than was needed to get it
rolling.
In any case, it looks like a little more work is required before this patch
will be ready for mainstream.
'HTTP_X_FORWARDED_FOR' should probably be ignored unless Zope is
explicitly told to look at it. A list of allowed proxiers, perhaps set as a
startup parameter?
Or a switch to turn it on (off by default) and a warning about restricting
where
direct connections to Zope are allowed from?
In the meantime, a couple of restrictive firewall rules on the my Zope box
will
prevent malicious users from connecting directly to Zope with fake
HTTP_X_FORWARDED_FOR.
Adam
ps.
Soon as I get it all working perfectly I'll be putting everything I know about
using Zope with mod_proxy in a doc for zope.org. (Yes, yet another match
when you search for "proxypass", hopefully the last needed for while.)