Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 369693 Details for
Bug 537784
Use X-Forwarded-For instead of REMOTE_ADDR for trusted proxies
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
v1 patch to use X-forwarded-for instead of remote_addr for trusted proxies
proxies.patch (text/plain), 5.96 KB, created by
Noura El hawary
on 2009-11-16 13:25:00 UTC
(
hide
)
Description:
v1 patch to use X-forwarded-for instead of remote_addr for trusted proxies
Filename:
MIME Type:
Creator:
Noura El hawary
Created:
2009-11-16 13:25:00 UTC
Size:
5.96 KB
patch
obsolete
>Index: Bugzilla/Auth/Login/Cookie.pm >=================================================================== >--- Bugzilla/Auth/Login/Cookie.pm (revision 1642) >+++ Bugzilla/Auth/Login/Cookie.pm (working copy) >@@ -35,7 +35,7 @@ > my $cgi = Bugzilla->cgi; > my $dbh = Bugzilla->dbh; > >- my $ip_addr = $cgi->remote_addr(); >+ my $ip_addr = remote_ip(); > my $net_addr = get_netaddr($ip_addr); > my $login_cookie = $cgi->cookie("Bugzilla_logincookie"); > my $user_id = $cgi->cookie("Bugzilla_login"); >Index: Bugzilla/Auth/Persist/Cookie.pm >=================================================================== >--- Bugzilla/Auth/Persist/Cookie.pm (revision 1642) >+++ Bugzilla/Auth/Persist/Cookie.pm (working copy) >@@ -49,7 +49,7 @@ > my $dbh = Bugzilla->dbh; > my $cgi = Bugzilla->cgi; > >- my $ip_addr = $cgi->remote_addr; >+ my $ip_addr = remote_ip(); > unless ($cgi->param('Bugzilla_restrictlogin') || > Bugzilla->params->{'loginnetmask'} == 32) > { >Index: Bugzilla/Error.pm >=================================================================== >--- Bugzilla/Error.pm (revision 1642) >+++ Bugzilla/Error.pm (working copy) >@@ -64,7 +64,7 @@ > for (1..75) { $mesg .= "-"; }; > $mesg .= "\n[$$] " . time2str("%D %H:%M:%S ", time()); > $mesg .= "$name $error "; >- $mesg .= "$ENV{REMOTE_ADDR} " if $ENV{REMOTE_ADDR}; >+ $mesg .= remote_ip(); > $mesg .= Bugzilla->user->login; > $mesg .= (' actually ' . Bugzilla->sudoer->login) if Bugzilla->sudoer; > $mesg .= "\n"; >Index: Bugzilla/Token.pm >=================================================================== >--- Bugzilla/Token.pm (revision 1642) >+++ Bugzilla/Token.pm (working copy) >@@ -145,7 +145,7 @@ > ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; > } > >- my $eventdata = $::ENV{'REMOTE_ADDR'}; >+ my $eventdata = remote_ip(); > my ($token, $token_ts) = _create_token($user->id, 'password', $eventdata); > > if ($password_expired) { >@@ -292,7 +292,7 @@ > my $user = new Bugzilla::User($userid); > > $vars->{'emailaddress'} = $userid ? $user->email : $eventdata; >- $vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'}; >+ $vars->{'remoteaddress'} = remote_ip(); > $vars->{'token'} = $token; > $vars->{'tokentype'} = $tokentype; > $vars->{'issuedate'} = $issuedate; >Index: Bugzilla/Util.pm >=================================================================== >--- Bugzilla/Util.pm (revision 1642) >+++ Bugzilla/Util.pm (working copy) >@@ -35,7 +35,7 @@ > detaint_signed > html_quote url_quote xml_quote > css_class_quote html_light_quote url_decode >- i_am_cgi get_netaddr correct_urlbase >+ i_am_cgi get_netaddr correct_urlbase remote_ip > lsearch ssl_require_redirect use_attachbase > diff_arrays > trim wrap_hard wrap_comment find_wrap_point >@@ -52,6 +52,7 @@ > use Date::Format; > use DateTime; > use DateTime::TimeZone; >+use List::Util qw(first); > use Digest; > use Email::Address; > use Scalar::Util qw(tainted); >@@ -304,6 +305,15 @@ > return 0; > } > >+sub remote_ip { >+ my $ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1'; >+ my @proxies = split(/[\s,]+/, Bugzilla->params->{'inbound_proxies'}); >+ if (first { $_ eq $ip } @proxies) { >+ $ip = $ENV{'HTTP_X_FORWARDED_FOR'} if $ENV{'HTTP_X_FORWARDED_FOR'}; >+ } >+ return $ip; >+} >+ > sub correct_urlbase { > my $ssl = Bugzilla->params->{'ssl'}; > return Bugzilla->params->{'urlbase'} if $ssl eq 'never'; >Index: template/en/default/admin/params/core.html.tmpl >=================================================================== >--- template/en/default/admin/params/core.html.tmpl (revision 1642) >+++ template/en/default/admin/params/core.html.tmpl (working copy) >@@ -93,6 +93,13 @@ > "group cannot access the HTTP_PROXY environment variable. If you have to " _ > "authenticate, use the <code>http://user:pass@proxy_url/</code> syntax.", > >+ inbound_proxies => "When inbound traffic to $terms.Bugzilla goes through a proxy, " _ >+ "$terms.Bugzilla thinks that the IP address of every single " _ >+ "user is the IP address of the proxy. If you enter a comma-separated " _ >+ "list of IPs in this parameter, then $terms.Bugzilla will trust any " _ >+ "<code>X-Forwarded-For</code> header sent from those IPs, " _ >+ "and use the value of that header as the end user's IP address.", >+ > useajax => "Use Ajax techniques to enhance user experience by downloading certain " _ > "information only when needed.", > >Index: Bugzilla/Config/Core.pm >=================================================================== >--- Bugzilla/Config/Core.pm (revision 1642) >+++ Bugzilla/Config/Core.pm (working copy) >@@ -112,6 +113,12 @@ > }, > > { >+ name => 'inbound_proxies', >+ type => 't', >+ default => '' >+ }, >+ >+ { > name => 'useajax', > type => 'b', > default => '0', >Index: Bugzilla.pm >=================================================================== >--- Bugzilla.pm (revision 1642) >+++ Bugzilla.pm (working copy) >@@ -125,18 +125,6 @@ > }; > } > >- # REDHAT EXTENSION 434896 >- # HACK FOR PROXY PASS-THROUGH >- # If client if one of the proxy servers then we try to use the >- # HTTP_X_FORWARDED_FOR address as the client's real address >- my %rx = ( >- proxy_ip => qr/^10\.8\.2\.15\d$/, >- last_ip_in_chain => qr/([^,\s]+)$/, >- ); >- if (i_am_cgi() && $ENV{REMOTE_ADDR} =~ $rx{proxy_ip}) { >- $ENV{REMOTE_ADDR} = $ENV{HTTP_X_FORWARDED_FOR} =~ $rx{last_ip_in_chain} >- } >- > # If Bugzilla is shut down, do not allow anything to run, just display a > # message to the user about the downtime and log out. Scripts listed in > # SHUTDOWNHTML_EXEMPT are exempt from this message.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369693">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dkl
: review+
Actions:
View
|
Diff
Attachments on
bug 537784
: 369693