[Zope] Zope and clients - debug info

Tino Wildenhain tino at wildenhain.de
Fri Sep 24 05:05:23 EDT 2004


Hi,

On Fri, 2004-09-24 at 10:36, kepes.krisztian wrote:
> Hi !
> 
> My question is that:
> I have a zope site. It ins intra, but in the future we want to publish 
> in internet.
> For make the development more simple ("simpler" ?), I check the REMOTE_ADDR.
> If it is a special intra address (exm: 192.168.3.8), or it is localhost, 
> the I show special elements (request datas, and in std_err_msg I show 
> the traceback).
> 
> These informations are hot infos (the traceback is show the object's 
> real position !).
> 
> So I don't want to publish to anybody, only to me.
> 
> (Because my home machine is not in network, I must use the localhost, 
> when I working at home).
> 
> But: I think, that is possible to anybody, who have a redirector 
> utility, or iptables, to map his localhost to my server.
> (Redirect it: iptables 127.0.0.1:80->http://myserverinnet).

Not thats not possible.

> It is possible ?
> If it is happened, how the REMOTE_ADDR filled by zope ?

The remote address is the address of the other end of the 
connection. So whatever connects to your zope server
is the other end. From viewpoint of your server there
is only one localhost = 127.0.0.1 that is its own localhost.
(Unless your network setup is horrible borken)

If someone fakes a connection with source-address 127.0.0.1
he will never get the answer packets from your server
because they will be routed to loopback device.

The only way to appear as localhost to the server
is by actually issuing the connection from there.
Like working on the console or using a tunnel.
(And if someone is able to establish a tunnel to your
server you have a lot more problems ;)

> I afraid to when it is happened, and REMOTE_ADDR is showed as localhost
> Then my site is thinking about client that he is developer, and show the 
> hot debug infos.

Dont confuse it with target (virtual) host, which appears in your
browser address list. (See rfc2616)

IMHO a better solution for you would be to look into
the permissions of the actual logged in user. And if
(s)he has permission (like you with role manager)
it should show more details.

Regards
Tino




More information about the Zope mailing list