Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...

Oliver Bleutgen myzope@gmx.net
Wed, 10 Apr 2002 18:59:38 +0200


Jim Washington wrote:


> 2.  If we want to get fancy about allowing authentication using that ip 
> address like naked ZServers can do,
> 
> In lib/python/AccessControl/User.py, around line 1116,
> change
> 
>    if request.has_key('REMOTE_ADDR'):
>       addr=request['REMOTE_ADDR']
> 
> to
> 
> if request.has_key('HTTP_X_FORWARDED_FOR'):
>       addr=request['HTTP_X_FORWARDED_FOR']
>    elif request.has_key('REMOTE_ADDR'):
>       addr=request['REMOTE_ADDR']
> 
> I do not believe this does anything to authentication that is not 
> possible now regarding spoofed ip addresses, so probably not a major 
> security headache.

Correct me if I'm wrong, but this IMO makes spoofing against a naked 
ZServer a childs play. It's just adding a custom header to the request.
I also doubt that every reverse proxy overwrites this header, so 
zservers behind a proxy might also be hit.

TCP spoofing OTOH is far more complicated, if (does it?) zope turns off 
the source routing option when replying, if present. IMO something like 
cracking a router or predicting sequence numbers is another level from 
adding a custom http-header.


cheers,
oliver