Commit 91f817fc authored by dario's avatar dario

web/views,util/web: only use REMOTE_ADDR, not X-FORWARDED_FOR

X-ForwardedFor is user-controlled and therefore useless for access
control
parent 20b6c431
......@@ -103,14 +103,8 @@ class ThemeSupportTemplateLoader(BaseLoader):
return self.default_loader.get_source(environment, template)
def get_remote_addr(request):
try:
return request.environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip()
except KeyError:
return request.environ['REMOTE_ADDR']
def remote_is_internal_network(request):
remote_addr = netaddr.IPAddress(get_remote_addr(request))
remote_addr = netaddr.IPAddress(request.environ['REMOTE_ADDR'])
for net in config.local_networks:
if remote_addr in netaddr.IPNetwork(net):
return True
......
......@@ -22,7 +22,7 @@ from pprint import pprint
import datetime
from util.web import expose, render_template, profify, completion_hints, \
update_meta_from_request, theme_for_url, local, get_remote_addr, \
update_meta_from_request, theme_for_url, local, \
remote_is_internal_network
from util.readMetaData import readMeta
from util.general import canonicalize_title, trim_pdf, empty_metadata
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment