Mercurial > p > roundup > code
comparison roundup/scripts/roundup_server.py @ 5303:5017c3422334
Pass X-Forwarded-For and X-Forwarded-Proto headers as
HTTP_X-FORWARDED-FOR and HTTP_X-FORWARDED-PROTO variables
in the tracker environment array.
Neither of these variables should be used by the code code unless
config.ini params are added to control their use.
I use the FORWARDED-FOR variable to disable the reCAPTCHA extenxaion
check if it is a local address using:
if 'HTTP_X-FORWARDED-FOR' in self.client.env:
# if proxied from client at local site, don't validate captcha
# used for running automated tests.
clientip=self.client.env['HTTP_X-FORWARDED-FOR'].split(',')[0]
if clientip.startswith("192.168.10."):
secret="none"
I run a front end web server that proxies over loopback to the running
roundup-server. So I feel I can trust the X-Forwarded-For header. In
other setup's that may not be true. Hence the requirement that it not
be used in core roundup code without allowing the roundup admin the
ability to disable it.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 09 Oct 2017 17:54:54 -0400 |
| parents | e9158c0a6eba |
| children | 762222535a0b |
comparison
equal
deleted
inserted
replaced
| 5302:132801e38324 | 5303:5017c3422334 |
|---|---|
| 373 env['SERVER_PORT'] = str(self.server.server_port) | 373 env['SERVER_PORT'] = str(self.server.server_port) |
| 374 try: | 374 try: |
| 375 env['HTTP_HOST'] = self.headers ['host'] | 375 env['HTTP_HOST'] = self.headers ['host'] |
| 376 except KeyError: | 376 except KeyError: |
| 377 env['HTTP_HOST'] = '' | 377 env['HTTP_HOST'] = '' |
| 378 # https://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10 | |
| 379 # headers. | |
| 378 xfh = self.headers.getheader('X-Forwarded-Host', None) | 380 xfh = self.headers.getheader('X-Forwarded-Host', None) |
| 379 if xfh: | 381 if xfh: |
| 382 # If behind a proxy, this is the hostname supplied | |
| 383 # via the Host header to the proxy. Used by core code. | |
| 384 # Controlled by the CSRF settings. | |
| 380 env['HTTP_X-FORWARDED-HOST'] = xfh | 385 env['HTTP_X-FORWARDED-HOST'] = xfh |
| 386 xff = self.headers.getheader('X-Forwarded-For', None) | |
| 387 if xff: | |
| 388 # xff is a list of ip addresses for original client/proxies: | |
| 389 # X-Forwarded-For: clientIP, proxy1IP, proxy2IP | |
| 390 # May not be trustworthy. Do not use in core without | |
| 391 # config option to control its use. | |
| 392 # Made available for extensions if the user trusts it. | |
| 393 # E.g. you may wish to disable recaptcha validation extension | |
| 394 # if the ip of the client matches 172.16.0.0. | |
| 395 env['HTTP_X-FORWARDED-FOR'] = xff | |
| 396 xfp = self.headers.getheader('X-Forwarded-Proto', None) | |
| 397 if xfp: | |
| 398 # xfp is the protocol (http/https) seen by proxies in the | |
| 399 # path of the request. I am not sure if there is only | |
| 400 # one value or multiple, but I suspect multiple | |
| 401 # is possible so: | |
| 402 # X-Forwarded-Proto: https, http | |
| 403 # is expected if the path is: | |
| 404 # client -> proxy1 -> proxy2 -> back end server | |
| 405 # an proxy1 is an SSL terminator. | |
| 406 # May not be trustworthy. Do not use in core without | |
| 407 # config option to control its use. | |
| 408 # Made available for extensions if the user trusts it. | |
| 409 env['HTTP_X-FORWARDED-PROTO'] = xfp | |
| 381 if os.environ.has_key('CGI_SHOW_TIMING'): | 410 if os.environ.has_key('CGI_SHOW_TIMING'): |
| 382 env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING'] | 411 env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING'] |
| 383 env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language') | 412 env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language') |
| 384 referer = self.headers.get('Referer') | 413 referer = self.headers.get('Referer') |
| 385 if referer: | 414 if referer: |