Closed
Bug 527586
Opened 15 years ago
Closed 15 years ago
Use X-Forwarded-For instead of REMOTE_ADDR for trusted proxies
Categories
(Bugzilla :: Administration, task)
Bugzilla
Administration
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: mkanat, Assigned: mkanat)
References
Details
(Whiteboard: [es-ita][wanted-bmo])
Attachments
(1 file, 2 obsolete files)
4.91 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
It's a somewhat-common situation that people have their Bugzilla behind some sort of proxy that does something (caching, SSL, etc.) with incoming traffic. Unfortunately, this breaks $ENV{REMOTE_ADDR}, because all traffic seems to be coming from the proxy. We need a parameter (for the Advanced section) that allows admins to specify the IP of their proxy, and then if traffic comes from that proxy, we trust the X-Forwarded-For header instead of the REMOTE_ADDR.
Assignee | ||
Updated•15 years ago
|
Target Milestone: --- → Bugzilla 3.6
Comment 1•15 years ago
|
||
Should support multiple proxies, not just one.
Assignee | ||
Comment 2•15 years ago
|
||
Here we go! Fairly straightforward. I didn't use $cgi->remote_addr or $cgi->http because there could be times where we want to get the remote IP but we don't want to create a CGI object.
Comment 3•15 years ago
|
||
Comment on attachment 411317 [details] [diff] [review] v1 >+sub remote_ip { >+ my $ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1'; >+ return $ip if !$ip; I don't understand this line. $ip is always defined (127.0.0.1 if nothing else), so you never return here.
Assignee | ||
Comment 4•15 years ago
|
||
Thanks, that was a mistake.
Attachment #411317 -
Attachment is obsolete: true
Attachment #411323 -
Flags: review?(dkl)
Attachment #411317 -
Flags: review?(dkl)
Assignee | ||
Updated•15 years ago
|
Whiteboard: [es-ita]
Comment 5•15 years ago
|
||
Comment on attachment 411323 [details] [diff] [review] v2 This is not applying cleanly for me. I have the dependencies installed as well. [dkl@localhost new-trunk]$ patch -p0 < /tmp/proxies.diff patching file Bugzilla/Auth/Login/Cookie.pm patching file Bugzilla/Auth/Persist/Cookie.pm Hunk #1 FAILED at 51. 1 out of 1 hunk FAILED -- saving rejects to file Bugzilla/Auth/Persist/Cookie.pm.rej patching file Bugzilla/Config/Advanced.pm patching file Bugzilla/Error.pm patching file Bugzilla/Token.pm patching file Bugzilla/Util.pm patching file template/en/default/admin/params/advanced.html.tmpl Seems that to conflict with the new input_params patch committed recently. Dave
Attachment #411323 -
Flags: review?(dkl) → review-
Assignee | ||
Comment 6•15 years ago
|
||
Ah, thanks! Bitrot fixed. bzr-loom for the win.
Attachment #411323 -
Attachment is obsolete: true
Attachment #411451 -
Flags: review?(dkl)
Comment 7•15 years ago
|
||
Comment on attachment 411451 [details] [diff] [review] v3 Looks good and works well in my testing. r=dkl
Attachment #411451 -
Flags: review?(dkl) → review+
Assignee | ||
Comment 9•15 years ago
|
||
Holding approval until the blockers are ready.
Flags: approval+ → approval?
Updated•15 years ago
|
Whiteboard: [es-ita] → [es-ita][wanted-bmo]
Assignee | ||
Updated•15 years ago
|
Flags: approval? → approval+
Assignee | ||
Comment 10•15 years ago
|
||
On checkin I had to also fix Bugzilla::User, which used remote_addr in three places from the lockout code (which was checked in since this patch was written). Checking in Bugzilla/Error.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Error.pm,v <-- Error.pm new revision: 1.27; previous revision: 1.26 done Checking in Bugzilla/Token.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Token.pm,v <-- Token.pm new revision: 1.59; previous revision: 1.58 done Checking in Bugzilla/User.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v <-- User.pm new revision: 1.201; previous revision: 1.200 done Checking in Bugzilla/Util.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Util.pm,v <-- Util.pm new revision: 1.99; previous revision: 1.98 done Checking in Bugzilla/Auth/Login/Cookie.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm,v <-- Cookie.pm new revision: 1.7; previous revision: 1.6 done Checking in Bugzilla/Auth/Persist/Cookie.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Persist/Cookie.pm,v <-- Cookie.pm new revision: 1.13; previous revision: 1.12 done Checking in Bugzilla/Config/Advanced.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Advanced.pm,v <-- Advanced.pm new revision: 1.2; previous revision: 1.1 done Checking in template/en/default/admin/params/advanced.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/admin/params/advanced.html.tmpl,v <-- advanced.html.tmpl new revision: 1.2; previous revision: 1.1 done
Comment 12•12 years ago
|
||
Comment on attachment 411451 [details] [diff] [review] v3 For the record, the remote_ip() function in this patch is totally broken, but it's already been committed, so we'll need a new bug to fix it.
You need to log in
before you can comment on or make changes to this bug.
Description
•