You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, the wsgi spec does not actually define REMOTE_ADDR, and the system could be behind a proxy with X-FORWARDED-FOR headers. I know if at least one WSGI server that does not provide this.
The text was updated successfully, but these errors were encountered:
request.remote_addr is implemented as an "environ_getter" in webob; the getter looks for the value of environ['REMOTE_ADDR'] and if it doesn't exist it returns None. It would be quite dangerous for us to also consider HTTP_X_FORWARDED_FOR here because that header can be set by an HTTP client. Any fix that used HTTP_X_FORWARDED_FOR would require us to also ensure that the value of REMOTE_ADDR was in a "trusted proxy" list, so it wouldn't work under the server you've mentioned anyway.
That said, I'd consider a patch that made the "ok check" a callback so you could pass in an arbitrary function to do the checking (rather than the toolbar being hardcoded to depend on REMOTE_ADDR).
The HTTP_X_FORWARDED_FOR, or any other proxy-specific headers should be translated into their environ keys by some middleware. For example paste's PrefixMiddleware does this already for HTTP_X_FORWARDED_PROTO, _SCHEME and _SERVER.
toolbar.py: 101
remote_addr = request.remote_addr
However, the wsgi spec does not actually define REMOTE_ADDR, and the system could be behind a proxy with X-FORWARDED-FOR headers. I know if at least one WSGI server that does not provide this.
The text was updated successfully, but these errors were encountered: