Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...
Oliver Bleutgen
myzope@gmx.net
Wed, 10 Apr 2002 18:59:38 +0200
Jim Washington wrote:
> 2. If we want to get fancy about allowing authentication using that ip
> address like naked ZServers can do,
>
> In lib/python/AccessControl/User.py, around line 1116,
> change
>
> if request.has_key('REMOTE_ADDR'):
> addr=request['REMOTE_ADDR']
>
> to
>
> if request.has_key('HTTP_X_FORWARDED_FOR'):
> addr=request['HTTP_X_FORWARDED_FOR']
> elif request.has_key('REMOTE_ADDR'):
> addr=request['REMOTE_ADDR']
>
> I do not believe this does anything to authentication that is not
> possible now regarding spoofed ip addresses, so probably not a major
> security headache.
Correct me if I'm wrong, but this IMO makes spoofing against a naked
ZServer a childs play. It's just adding a custom header to the request.
I also doubt that every reverse proxy overwrites this header, so
zservers behind a proxy might also be hit.
TCP spoofing OTOH is far more complicated, if (does it?) zope turns off
the source routing option when replying, if present. IMO something like
cracking a router or predicting sequence numbers is another level from
adding a custom http-header.
cheers,
oliver