diff options
author | Mark Sapiro <mark@msapiro.net> | 2015-06-23 12:53:50 -0700 |
---|---|---|
committer | Mark Sapiro <mark@msapiro.net> | 2015-06-23 12:53:50 -0700 |
commit | 5c01d482cc37706251892ea1b620b221da2d2ca4 (patch) | |
tree | 7138ce95a77309550e3657e8e9656f55422a99ab | |
parent | ab19a1505dd93eca5d9ca6792740c9eb56302cfe (diff) | |
parent | 28f5f0ce0be5529598124bbe5e0d72b0fd605e69 (diff) | |
download | mailman2-5c01d482cc37706251892ea1b620b221da2d2ca4.tar.gz mailman2-5c01d482cc37706251892ea1b620b221da2d2ca4.tar.xz mailman2-5c01d482cc37706251892ea1b620b221da2d2ca4.zip |
Improved identification of remote clients coming via a proxy server.
Diffstat (limited to '')
-rw-r--r-- | Mailman/Cgi/listinfo.py | 7 | ||||
-rw-r--r-- | Mailman/Cgi/options.py | 13 | ||||
-rwxr-xr-x | Mailman/Cgi/subscribe.py | 7 | ||||
-rw-r--r-- | Mailman/Utils.py | 9 | ||||
-rwxr-xr-x | NEWS | 4 |
5 files changed, 30 insertions, 10 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py index 3c04e8a7..c13fdb26 100644 --- a/Mailman/Cgi/listinfo.py +++ b/Mailman/Cgi/listinfo.py @@ -187,9 +187,10 @@ def list_listinfo(mlist, lang): 'subscribe') if mm_cfg.SUBSCRIBE_FORM_SECRET: now = str(int(time.time())) - remote = os.environ.get('REMOTE_HOST', - os.environ.get('REMOTE_ADDR', - 'w.x.y.z')) + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'w.x.y.z'))) # Try to accept a range in case of load balancers, etc. (LP: #1447445) if remote.find('.') >= 0: # ipv4 - drop last octet diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py index 74f186d7..a094047e 100644 --- a/Mailman/Cgi/options.py +++ b/Mailman/Cgi/options.py @@ -193,7 +193,10 @@ def main(): mlist.HoldUnsubscription(user) doc.addError(msga, tag='') else: - ip = os.environ.get('REMOTE_ADDR') + ip = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) mlist.ConfirmUnsubscription(user, userlang, remote=ip) doc.addError(msgc, tag='') mlist.Save() @@ -264,9 +267,13 @@ def main(): # So as not to allow membership leakage, prompt for the email # address and the password here. if mlist.private_roster <> 0: + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) syslog('mischief', - 'Login failure with private rosters: %s', - user) + 'Login failure with private rosters: %s from %s', + user, remote) user = None # give an HTTP 401 for authentication failure print 'Status: 401 Unauthorized' diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py index fff21e98..ab5c7cd8 100755 --- a/Mailman/Cgi/subscribe.py +++ b/Mailman/Cgi/subscribe.py @@ -118,9 +118,10 @@ def process_form(mlist, doc, cgidata, lang): # Canonicalize the full name fullname = Utils.canonstr(fullname, lang) # Who was doing the subscribing? - remote = os.environ.get('REMOTE_HOST', - os.environ.get('REMOTE_ADDR', - 'unidentified origin')) + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) # Are we checking the hidden data? if mm_cfg.SUBSCRIBE_FORM_SECRET: now = int(time.time()) diff --git a/Mailman/Utils.py b/Mailman/Utils.py index e7eaa389..fe513c8e 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -262,7 +262,14 @@ def GetPathPieces(envar='PATH_INFO'): if path: if CRNLpat.search(path): path = CRNLpat.split(path)[0] - syslog('error', 'Warning: Possible malformed path attack.') + remote = os.environ.get('HTTP_FORWARDED_FOR', + os.environ.get('HTTP_X_FORWARDED_FOR', + os.environ.get('REMOTE_ADDR', + 'unidentified origin'))) + syslog('error', + 'Warning: Possible malformed path attack domain=%s remote=%s', + get_domain(), + remote) return [p for p in path.split('/') if p] return None @@ -14,6 +14,10 @@ Here is a history of user visible changes to Mailman. Bug fixes and other patches + - Improved identification of remote clients for logging and subscribe + form checking in cases where access is via a proxy server. Thanks to + Jim Popovitch. + - Fixed an issue with shunted messages on a list where the charset for the list's preferred_language had been changed from iso-8859-1 to utf-8 without recoding the list's description. (LP: #1462755) |