Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...

Jim Penny jpenny@universal-fasteners.com
Wed, 10 Apr 2002 14:28:14 -0400


On Wed, Apr 10, 2002 at 06:59:38PM +0200, Oliver Bleutgen wrote:
> Jim Washington wrote:
> 
> 
> >2.  If we want to get fancy about allowing authentication using that ip 
> >address like naked ZServers can do,
> >
> >In lib/python/AccessControl/User.py, around line 1116,
> >change
> >
> >   if request.has_key('REMOTE_ADDR'):
> >      addr=request['REMOTE_ADDR']
> >
> >to
> >
> >if request.has_key('HTTP_X_FORWARDED_FOR'):
> >      addr=request['HTTP_X_FORWARDED_FOR']
> >   elif request.has_key('REMOTE_ADDR'):
> >      addr=request['REMOTE_ADDR']
> >
> >I do not believe this does anything to authentication that is not 
> >possible now regarding spoofed ip addresses, so probably not a major 
> >security headache.
> 
> Correct me if I'm wrong, but this IMO makes spoofing against a naked 
> ZServer a childs play. It's just adding a custom header to the request.
> I also doubt that every reverse proxy overwrites this header, so 
> zservers behind a proxy might also be hit.

Note:  this is using another web server to front for zope.  It turns out
to be fairly safe -- I have used a variant for quite a while and did
quite a bit of testing.  For short hand, I am going to call the other web
server apache.  Apache presumably uses something like getpeername to
fill in its idea of HTTP_X_FORWARDED_FOR or REMOTE_ADDR.  If the remote
user attempts to spoof it (by using hidden variables, or other HTTP
based techniques), the Zope server interprets this is a list, rather
than the expected string.  This is easy to detect, and in fact, if you
fail to handle it, you will probably simply error out.

If the attacker is using TCP spoofing, there is really not much you can
do at an application level.

On the other hand, I am now conviced that this is not an intelligent
thing to do, not even for presentation.  You already have Apache in
front, so why not use rewriting rules to make the URL distinguishable.
In this way, you can use one of the BASE or URL variables to determine
how the person got in.  This gives you pretty much the same level of
control (especially if you are worried only about internal/external) as
using IP addresses, without modifying either Zope or Apache.

Jim Penny

> 
> TCP spoofing OTOH is far more complicated, if (does it?) zope turns off 
> the source routing option when replying, if present. IMO something like 
> cracking a router or predicting sequence numbers is another level from 
> adding a custom http-header.
> 
> 
> cheers,
> oliver
> 
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>