[Mailman-Users] HTTP_X_FORWARDED_FOR logging support
Stephen J. Turnbull
stephen at xemacs.org
Tue Jun 23 02:06:44 CEST 2015
Are you proposing this for inclusion in a future Mailman distribution?
If so, RFC 7239 Forwarded-For should be supported as well.
Also, since one of the purposes of this information appears to be
detection of attacks of various kinds, I would think that instead of
falling back to REMOTE_HOST or REMOTE_ADDR, you would want to collect
all of them. After all, this is cheap since you're getting it from
the HTTP headers, no DNS lookups or whatever involved, they've already
been done.
This especially applies to REMOTE_HOST vs. REMOTE_ADDR.
Jim Popovitch writes:
> Hello,
>
> I'm looking for feedback on the attached patch which adds support for
> logging the real client IP address when Mailman is behind a proxy.
>
> I'm also looking for feedback on the use of REMOTE_ADDR instead of REMOTE_HOST.
>
> Ex:
>
> - remote = os.environ.get('REMOTE_HOST',
> + remote = os.environ.get('HTTP_X_FORWARDED_FOR',
> os.environ.get('REMOTE_ADDR',
> 'unidentified origin'))
>
>
> Thanks!!
>
> -Jim P.
> === modified file 'Mailman/Cgi/listinfo.py'
> --- Mailman/Cgi/listinfo.py 2015-05-06 15:07:08 +0000
> +++ Mailman/Cgi/listinfo.py 2015-06-20 21:11:21 +0000
> @@ -186,7 +186,7 @@
> 'subscribe')
> if mm_cfg.SUBSCRIBE_FORM_SECRET:
> now = str(int(time.time()))
> - remote = os.environ.get('REMOTE_HOST',
> + remote = os.environ.get('HTTP_X_FORWARDED_FOR',
> os.environ.get('REMOTE_ADDR',
> 'w.x.y.z'))
> # Try to accept a range in case of load balancers, etc. (LP: #1447445)
>
> === modified file 'Mailman/Cgi/options.py'
> --- Mailman/Cgi/options.py 2015-02-05 12:15:37 +0000
> +++ Mailman/Cgi/options.py 2015-06-20 21:11:21 +0000
> @@ -193,7 +193,7 @@
> mlist.HoldUnsubscription(user)
> doc.addError(msga, tag='')
> else:
> - ip = os.environ.get('REMOTE_ADDR')
> + ip = os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR'))
> mlist.ConfirmUnsubscription(user, userlang, remote=ip)
> doc.addError(msgc, tag='')
> mlist.Save()
> @@ -264,7 +264,7 @@
> # So as not to allow membership leakage, prompt for the email
> # address and the password here.
> if mlist.private_roster <> 0:
> - remote = os.environ.get('REMOTE_HOST', os.environ.get('REMOTE_ADDR', 'unidentified origin'))
> + remote = os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR', 'unidentified origin'))
> syslog('mischief',
> 'Login failure with private rosters: %s from %s',
> user, remote)
>
>
> === modified file 'Mailman/Cgi/subscribe.py'
> --- Mailman/Cgi/subscribe.py 2015-04-24 00:42:33 +0000
> +++ Mailman/Cgi/subscribe.py 2015-06-20 21:11:21 +0000
> @@ -118,7 +118,7 @@
> # Canonicalize the full name
> fullname = Utils.canonstr(fullname, lang)
> # Who was doing the subscribing?
> - remote = os.environ.get('REMOTE_HOST',
> + remote = os.environ.get('HTTP_X_FORWARDED_FOR',
> os.environ.get('REMOTE_ADDR',
> 'unidentified origin'))
> # Are we checking the hidden data?
>
> === modified file 'Mailman/Utils.py'
> --- Mailman/Utils.py 2015-05-06 15:07:08 +0000
> +++ Mailman/Utils.py 2015-06-20 21:11:21 +0000
> @@ -261,8 +261,9 @@
> path = os.environ.get(envar)
> if path:
> if CRNLpat.search(path):
> + client = os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR'))
> path = CRNLpat.split(path)[0]
> - syslog('error', 'Warning: Possible malformed path attack.')
> + syslog('error', 'Warning: Possible malformed path attack d=%s r=%s' % get_domain(), client)
> return [p for p in path.split('/') if p]
> return None
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/stephen%40xemacs.org
More information about the Mailman-Users
mailing list