aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman/Cgi
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2015-06-23 12:53:50 -0700
committerMark Sapiro <mark@msapiro.net>2015-06-23 12:53:50 -0700
commit5c01d482cc37706251892ea1b620b221da2d2ca4 (patch)
tree7138ce95a77309550e3657e8e9656f55422a99ab /Mailman/Cgi
parentab19a1505dd93eca5d9ca6792740c9eb56302cfe (diff)
parent28f5f0ce0be5529598124bbe5e0d72b0fd605e69 (diff)
downloadmailman2-5c01d482cc37706251892ea1b620b221da2d2ca4.tar.gz
mailman2-5c01d482cc37706251892ea1b620b221da2d2ca4.tar.xz
mailman2-5c01d482cc37706251892ea1b620b221da2d2ca4.zip
Improved identification of remote clients coming via a proxy server.
Diffstat (limited to '')
-rw-r--r--Mailman/Cgi/listinfo.py7
-rw-r--r--Mailman/Cgi/options.py13
-rwxr-xr-xMailman/Cgi/subscribe.py7
3 files changed, 18 insertions, 9 deletions
diff --git a/Mailman/Cgi/listinfo.py b/Mailman/Cgi/listinfo.py
index 3c04e8a7..c13fdb26 100644
--- a/Mailman/Cgi/listinfo.py
+++ b/Mailman/Cgi/listinfo.py
@@ -187,9 +187,10 @@ def list_listinfo(mlist, lang):
'subscribe')
if mm_cfg.SUBSCRIBE_FORM_SECRET:
now = str(int(time.time()))
- remote = os.environ.get('REMOTE_HOST',
- os.environ.get('REMOTE_ADDR',
- 'w.x.y.z'))
+ remote = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+ 'w.x.y.z')))
# Try to accept a range in case of load balancers, etc. (LP: #1447445)
if remote.find('.') >= 0:
# ipv4 - drop last octet
diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 74f186d7..a094047e 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -193,7 +193,10 @@ def main():
mlist.HoldUnsubscription(user)
doc.addError(msga, tag='')
else:
- ip = os.environ.get('REMOTE_ADDR')
+ ip = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+ 'unidentified origin')))
mlist.ConfirmUnsubscription(user, userlang, remote=ip)
doc.addError(msgc, tag='')
mlist.Save()
@@ -264,9 +267,13 @@ def main():
# So as not to allow membership leakage, prompt for the email
# address and the password here.
if mlist.private_roster <> 0:
+ remote = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+ 'unidentified origin')))
syslog('mischief',
- 'Login failure with private rosters: %s',
- user)
+ 'Login failure with private rosters: %s from %s',
+ user, remote)
user = None
# give an HTTP 401 for authentication failure
print 'Status: 401 Unauthorized'
diff --git a/Mailman/Cgi/subscribe.py b/Mailman/Cgi/subscribe.py
index fff21e98..ab5c7cd8 100755
--- a/Mailman/Cgi/subscribe.py
+++ b/Mailman/Cgi/subscribe.py
@@ -118,9 +118,10 @@ def process_form(mlist, doc, cgidata, lang):
# Canonicalize the full name
fullname = Utils.canonstr(fullname, lang)
# Who was doing the subscribing?
- remote = os.environ.get('REMOTE_HOST',
- os.environ.get('REMOTE_ADDR',
- 'unidentified origin'))
+ remote = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+ 'unidentified origin')))
# Are we checking the hidden data?
if mm_cfg.SUBSCRIBE_FORM_SECRET:
now = int(time.time())