[Zope3-dev] a way to get the client IP address in Zope 3?
Martijn Faassen
faassen at infrae.com
Thu Sep 29 11:45:26 EDT 2005
Hi there,
There doesn't appear to be a way to get the client's IP address from the
request. Zope 2 has a getClientAddr() on the request object that uses
_client_addr, which gets created like this:
if environ.has_key('REMOTE_ADDR'):
self._client_addr = environ['REMOTE_ADDR']
if (environ.has_key('HTTP_X_FORWARDED_FOR') and
self._client_addr in trusted_proxies):
# REMOTE_ADDR is one of our trusted local proxies. Not
# really very remote at all.
# The proxy can tell us the IP of the real remote client in
# the forwarded-for header
self._client_addr = environ[
'HTTP_X_FORWARDED_FOR'].split(',')[-1].strip()
else:
self._client_addr = ''
# The trusted_proxies configuration setting contains a sequence
# of front-end proxies that are trusted to supply an accurate
# X_FORWARDED_FOR header. If REMOTE_ADDR is one of the values in
# this list and it has set an X_FORWARDED_FOR header, ZPublisher
# copies REMOTE_ADDR into X_FORWARDED_BY, and the last element of
# the X_FORWARDED_FOR list into REMOTE_ADDR. X_FORWARDED_FOR is
# left unchanged. The ZConfig machinery may sets this attribute
# on initialization if any trusted-proxies are defined in the
# configuration file.
trusted_proxies = []
Would it be valuable to have equivalent machinery in Zope 3? I would
like to retrieve the IP address and it'd be nice if it worked with proxies.
Porting this code to Zope 3 sounds possible. Some problems:
* 'HTTP_X_FORWARDED_FOR' is not seen as something that ends up in
environ, as it's not considered to be a valid cgi name by
zope.publisher.browser. Where would it end up? In headers?
* There's no zconf setting in Zope 3 that I'm aware of to configure
trusted_proxies
* there's a comment that cookie data is accessed before environ data.
Does this mean a cookie could be crafted to fake REMOTE_ADDR?
Regards,
Martijn
More information about the Zope3-dev
mailing list