New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let the possibility to specify a wildcard for the truted_proxy var #119
Let the possibility to specify a wildcard for the truted_proxy var #119
Conversation
because for some cloud based reversed proxies you can't determined the fixed ip used, but you already know that the proxy can be trusted
This feature introduces a huge security hole: allowing any host which can see the server set those headers opens a site up to phishing, etc. I'd be more willing to merge a feature which allowed either a list of trusted proxies, or perhaps a way to spell a subnet (e.g., using the |
pyramid_debugtoolbar works for subnets including |
My first approach was indeed to use ip subnet masks, but I didn't want to introduce a dependency without first submitting the idea of trusting not only fixed ip addresses. I agree that it may introduce a hole, but in the case of Heroku you can't receive wrong headers from Nginx. Well that's what I understand so far from reading the documentation. I will make the changes then with the ipaddress package (and natively for Python 3). |
Hmm, looking at https://pypi.python.org/pypi/py2-ipaddress, it doesn't appear to support Python 3.2 / 3.3, which we need to support. |
https://pypi.python.org/pypi/ipaddress looks to be a better choice. |
It's probably a reasonable dependency for a wsgi server to be able to parse ip addresses properly. Alternatively pyramid_debugtoolbar just vendored the ipaddr module. https://github.com/Pylons/pyramid_debugtoolbar/blob/master/pyramid_debugtoolbar/ipaddr.py |
Exactly, the package |
I have replaced the wildcard use by a subnet mask. So you can specify a This way people can granularly choose the security they need. Is the implement good for you ? Cheers |
The tests failed under Python 3.2, but I can't find the reason why the |
I finally found how to fix the tests ! |
Is there a reason you have pinned Also I believe |
Very well, I removed the pinned statement, it is indeed better this way ! |
Could you add a test for the new behavior? It's good to see the current tests pass unchanged for the |
I really think this ought to not live in waitress, and instead should be middleware. There's some work that was done in WebOb and I need to take a look at it again, but I think solving it there will be much more useful as a WSGI middleware than special support in the HTTP server. |
I already argued for this a bit when the feature was added. It's in now, so we can only try to improve it. Point-being I think that your comment is not constructive to this particular PR. :-) |
@@ -33,9 +33,15 @@ | |||
'coverage', | |||
] | |||
|
|||
install_requires = [] | |||
|
|||
if sys.version_info[:2] == (2, 6): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
@dulaccc I think this PR is good but there are outstanding issues on it going back to 2015. We cannot use this code unless you sign the contributors agreement so I must close this. If you'd like to at least add your name to CONTRIBUTORS.txt we can have someone else work on the rest. |
Here is a suggestion to use the
X_FORWARDED_PROTO
on cloud based reversed proxies with no fixed ip.I don't see any personal objection on allowing the wildcard if it is documented well enough for this particular case.
Cheers