[zope2-tracker] [Bug 855649] [NEW] Security enhancement for reverse proxy setups
gabriel
gabriel at hrz.uni-marburg.de
Wed Sep 21 10:31:50 EST 2011
Public bug reported:
Zope is typically deployed behind a reverse proxy. Therefore it is necessary to configure the trusted-proxy environment variable of zope.conf to resolve the client IP address from the "x-forwarded-for" header that is added by the proxy. Currently,
if the trusted-proxy ip address was mistyped zope ignores the "x-forwarded-for" header and sets the client IP address to the IP address of the proxy. The fallback to the IP address of the proxy could be a security problem if there are any security policies configuered (autorole etc.) based on the IP address of the client. We suggest that zope should raise an error if trusted-proxy environment is set but zope recieves a "x-forwarded-for" header from an untrusted proxy. The added patch supports this behavior.
** Affects: zope2
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/855649
Title:
Security enhancement for reverse proxy setups
To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/855649/+subscriptions
More information about the zope2-tracker
mailing list