REMOTE_ADDR used unconditionally

[steamraven]

toolbar.py: 101
remote_addr = request.remote_addr

However, the wsgi spec does not actually define REMOTE_ADDR, and the system could be behind a proxy with X-FORWARDED-FOR headers. I know if at least one WSGI server that does not provide this.

[mcdonc]

request.remote_addr is implemented as an "environ_getter" in webob; the getter looks for the value of environ['REMOTE_ADDR'] and if it doesn't exist it returns None. It would be quite dangerous for us to also consider HTTP_X_FORWARDED_FOR here because that header can be set by an HTTP client. Any fix that used HTTP_X_FORWARDED_FOR would require us to also ensure that the value of REMOTE_ADDR was in a "trusted proxy" list, so it wouldn't work under the server you've mentioned anyway.

That said, I'd consider a patch that made the "ok check" a callback so you could pass in an arbitrary function to do the checking (rather than the toolbar being hardcoded to depend on REMOTE_ADDR).

[mmerickel]

The HTTP_X_FORWARDED_FOR, or any other proxy-specific headers should be translated into their environ keys by some middleware. For example paste's PrefixMiddleware does this already for HTTP_X_FORWARDED_PROTO, _SCHEME and _SERVER.