upstream/kallithea Commit - r8678:f08fbf42

auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header...

Mads Kiilerich -

r8678:f08fbf42 default

parent child

kallithea/controllers/base.py

0 +7 -5

             def _filter_proxy(ip):
                 """
-                HEADERS can have multiple ips inside the left-most being the original
+                HTTP_X_FORWARDED_FOR headers can have multiple IP addresses, with the
-                client, and each successive proxy that passed the request adding the IP
+                leftmost being the original client. Each proxy that is forwarding the
-                address where it received the request from.
+                request will usually add the IP address it sees the request coming from.
-                :param ip:
+                The client might have provided a fake leftmost value before hitting the
+                first proxy, so if we have a proxy that is adding one IP address, we can
+                only trust the rightmost address.
                 """
                 if ',' in ip:
                     _ips = ip.split(',')
-                    _first_ip = _ips[0].strip()
+                    _first_ip = _ips[-1].strip()
                     log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
                     return _first_ip
                 return ip

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages