Mercurial > p > roundup > code

diff roundup/scripts/roundup_server.py @ 5303:5017c3422334

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Pass X-Forwarded-For and X-Forwarded-Proto headers as HTTP_X-FORWARDED-FOR and HTTP_X-FORWARDED-PROTO variables in the tracker environment array. Neither of these variables should be used by the code code unless config.ini params are added to control their use. I use the FORWARDED-FOR variable to disable the reCAPTCHA extenxaion check if it is a local address using: if 'HTTP_X-FORWARDED-FOR' in self.client.env: # if proxied from client at local site, don't validate captcha # used for running automated tests. clientip=self.client.env['HTTP_X-FORWARDED-FOR'].split(',')[0] if clientip.startswith("192.168.10."): secret="none" I run a front end web server that proxies over loopback to the running roundup-server. So I feel I can trust the X-Forwarded-For header. In other setup's that may not be true. Hence the requirement that it not be used in core roundup code without allowing the roundup admin the ability to disable it.
author John Rouillard <rouilj@ieee.org>
date Mon, 09 Oct 2017 17:54:54 -0400
parents e9158c0a6eba
children 762222535a0b
line wrap: on
line diff
--- a/roundup/scripts/roundup_server.py	Fri Oct 06 21:35:28 2017 -0400
+++ b/roundup/scripts/roundup_server.py	Mon Oct 09 17:54:54 2017 -0400
@@ -375,9 +375,38 @@
             env['HTTP_HOST'] = self.headers ['host']
         except KeyError:
             env['HTTP_HOST'] = ''
+        # https://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10
+        # headers.
         xfh = self.headers.getheader('X-Forwarded-Host', None)
         if xfh:
+            # If behind a proxy, this is the hostname supplied
+            # via the Host header to the proxy. Used by core code.
+            # Controlled by the CSRF settings.
             env['HTTP_X-FORWARDED-HOST'] = xfh
+        xff = self.headers.getheader('X-Forwarded-For', None)
+        if xff:
+            # xff is a list of ip addresses for original client/proxies:
+            # X-Forwarded-For: clientIP, proxy1IP, proxy2IP
+            # May not be trustworthy. Do not use in core without
+            # config option to control its use.
+            # Made available for extensions if the user trusts it.
+            # E.g. you may wish to disable recaptcha validation extension
+            # if the ip of the client matches 172.16.0.0.
+            env['HTTP_X-FORWARDED-FOR'] = xff
+        xfp = self.headers.getheader('X-Forwarded-Proto', None)
+        if xfp:
+            # xfp is the protocol (http/https) seen by proxies in the
+            # path of the request. I am not sure if there is only
+            # one value or multiple, but I suspect multiple
+            # is possible so:
+            # X-Forwarded-Proto: https, http
+            # is expected if the path is:
+            #    client -> proxy1 -> proxy2 -> back end server
+            # an proxy1 is an SSL terminator.
+            # May not be trustworthy. Do not use in core without
+            # config option to control its use.
+            # Made available for extensions if the user trusts it.
+            env['HTTP_X-FORWARDED-PROTO'] = xfp
         if os.environ.has_key('CGI_SHOW_TIMING'):
             env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
         env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')
Roundup Issue Tracker: http://roundup-tracker.org/