On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote: [...] > But what about the case of multiple trusted proxies (not the case of > the client acting as a proxy)? Or what about if the proxy sends the > XFF header as [CLIENTIP, PROXYIP] which is what I believe the major > ones do and what cause the patch to break existing setups?
Exactly. We have to fix this cases, without breaking security. On the other hand, maybe a reliable remote IP address is not that important. Then, the doc should be fixed, because currently it somehow implies that you can trust HTTP_X_FORWARDED_FOR in some cases. You can't. Now, if having a reliable remote IP address is important, then a setting (NUMBER_OF_TRUSTED_PROXY_SERVERS?) specifying how many values you can trust is the only thing that occurs to me. (I'm not that creative). Then, you get the right remote IP using x_forwarded_for.split(",")[-NUMBER_OF_TRUSTED_PROXY_SERVERS].strip(). What do you think? -- Leo Soto M. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---