On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
[...]
> But what about the case of multiple trusted proxies (not the case of
> the client acting as a proxy)? Or what about if the proxy sends the
> XFF header as [CLIENTIP, PROXYIP] which is what I believe the major
> ones do and what cause the patch to break existing setups?
Exactly. We have to fix this cases, without breaking security. On the
other hand, maybe a reliable remote IP address is not that important.
Then, the doc should be fixed, because currently it somehow implies
that you can trust HTTP_X_FORWARDED_FOR in some cases. You can't.
Now, if having a reliable remote IP address is important, then a
setting (NUMBER_OF_TRUSTED_PROXY_SERVERS?) specifying how many values
you can trust is the only thing that occurs to me. (I'm not that
creative).
Then, you get the right remote IP using
x_forwarded_for.split(",")[-NUMBER_OF_TRUSTED_PROXY_SERVERS].strip().
What do you think?
--
Leo Soto M.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
