GNU Mailman

Merge lp:~jimpop/mailman/forwarded_for into lp:mailman/2.1

  1. forwarded_for
  2. Merge into 2.1
Proposed by Jim Popovitch
Status: Merged
Merge reported by: Mark Sapiro
Merged at revision: not available
Proposed branch: lp:~jimpop/mailman/forwarded_for
Merge into: lp:mailman/2.1
Diff against target: 83 lines (+23/-10)
4 files modified
Mailman/Cgi/listinfo.py (+4/-3)
Mailman/Cgi/options.py (+10/-3)
Mailman/Cgi/subscribe.py (+4/-3)
Mailman/Utils.py (+5/-1)
To merge this branch: bzr merge lp:~jimpop/mailman/forwarded_for
Reviewer Review Type Date Requested Status
Mark Sapiro Approve
Review via email: mp+262717@code.launchpad.net

Commit message

Support for HTTP_X_FORWARDED_FOR and HTTP_FORWARDED_FOR (RFC 7239)

Description of the change

This branch adds support for HTTP_X_FORWARDED_FOR and HTTP_FORWARDED_FOR, it also removes REMOTE_HOST as that is never reliable (i.e. the data for REMOTE_HOST is defined elsewhere and subject to change). This branch also identifies the remote IP in "Possible malformed path attack" errors.

To post a comment you must log in.
Revision history for this message
Mark Sapiro (msapiro) wrote :

Looks good Jim. Thank you.

review: Approve
lp:~jimpop/mailman/forwarded_for updated
1569. By Jim Popovitch

Fixed improper typo/formatting for syslog call

Revision history for this message
Jim Popovitch (jimpop) wrote :

I unfortunately found a small typo that needed attention, so I've
updated Mailman/Utils.py.

On Tue, Jun 23, 2015 at 1:34 PM, Mark Sapiro <email address hidden> wrote:
> Review: Approve
>
> Looks good Jim. Thank you.
> --
> https://code.launchpad.net/~jimpop/mailman/forwarded_for/+merge/262717
> You are the owner of lp:~jimpop/mailman/forwarded_for.

Revision history for this message
Mark Sapiro (msapiro) wrote :

On 06/23/2015 10:45 AM, jimpop wrote:
> I unfortunately found a small typo that needed attention, so I've
> updated Mailman/Utils.py.

I missed that too, but it's fixed now.

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

Revision history for this message
Jim Popovitch (jimpop) wrote :

Wait!!! :-)

I just found another. :-( It was a missing parenthesis.

These two last minute fixes are due to me having produced the diff
from my master copy that I build MM from (it has other odd things in
it that are specific to my installation), and then I copied/pasted the
changes into the new proposed branch. I really should have done this
differently, and I will next time. I should have dev'ed the changes
on a proposed branch, then produced a local patch to import into my
private production branch. Sorry for the hiccups.

-Jim P.

On Tue, Jun 23, 2015 at 2:24 PM, Mark Sapiro <email address hidden> wrote:
> On 06/23/2015 10:45 AM, jimpop wrote:
>> I unfortunately found a small typo that needed attention, so I've
>> updated Mailman/Utils.py.
>
>
> I missed that too, but it's fixed now.
>
> --
> Mark Sapiro <email address hidden> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
>
> https://code.launchpad.net/~jimpop/mailman/forwarded_for/+merge/262717
> You are the owner of lp:~jimpop/mailman/forwarded_for.

Revision history for this message
Mark Sapiro (msapiro) wrote :

On 06/23/2015 11:30 AM, jimpop wrote:
> Wait!!! :-)
>
> I just found another. :-( It was a missing parenthesis.

Fixed. That one I should have seen because it produces a compile error
on make install. <sigh>

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py 2015-04-24 00:42:33 +0000
+++ Mailman/Cgi/listinfo.py 2015-06-23 17:44:49 +0000
@@ -187,9 +187,10 @@
187 'subscribe')187 'subscribe')
188 if mm_cfg.SUBSCRIBE_FORM_SECRET:188 if mm_cfg.SUBSCRIBE_FORM_SECRET:
189 now = str(int(time.time()))189 now = str(int(time.time()))
190 remote = os.environ.get('REMOTE_HOST',190 remote = os.environ.get('HTTP_FORWARDED_FOR',
191 os.environ.get('REMOTE_ADDR',191 os.environ.get('HTTP_X_FORWARDED_FOR',
192 'w.x.y.z'))192 os.environ.get('REMOTE_ADDR',
193 'w.x.y.z'))
193 # Try to accept a range in case of load balancers, etc. (LP: #1447445)194 # Try to accept a range in case of load balancers, etc. (LP: #1447445)
194 if remote.find('.') >= 0:195 if remote.find('.') >= 0:
195 # ipv4 - drop last octet196 # ipv4 - drop last octet
196197
=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py 2015-01-23 00:09:03 +0000
+++ Mailman/Cgi/options.py 2015-06-23 17:44:49 +0000
@@ -193,7 +193,10 @@
193 mlist.HoldUnsubscription(user)193 mlist.HoldUnsubscription(user)
194 doc.addError(msga, tag='')194 doc.addError(msga, tag='')
195 else:195 else:
196 ip = os.environ.get('REMOTE_ADDR')196 ip = os.environ.get('HTTP_FORWARDED_FOR',
197 os.environ.get('HTTP_X_FORWARDED_FOR',
198 os.environ.get('REMOTE_ADDR',
199 'unidentified origin')))
197 mlist.ConfirmUnsubscription(user, userlang, remote=ip)200 mlist.ConfirmUnsubscription(user, userlang, remote=ip)
198 doc.addError(msgc, tag='')201 doc.addError(msgc, tag='')
199 mlist.Save()202 mlist.Save()
@@ -264,9 +267,13 @@
264 # So as not to allow membership leakage, prompt for the email267 # So as not to allow membership leakage, prompt for the email
265 # address and the password here.268 # address and the password here.
266 if mlist.private_roster <> 0:269 if mlist.private_roster <> 0:
270 remote = os.environ.get('HTTP_FORWARDED_FOR',
271 os.environ.get('HTTP_X_FORWARDED_FOR',
272 os.environ.get('REMOTE_ADDR',
273 'unidentified origin')))
267 syslog('mischief',274 syslog('mischief',
268 'Login failure with private rosters: %s',275 'Login failure with private rosters: %s from %s',
269 user)276 user, remote)
270 user = None277 user = None
271 # give an HTTP 401 for authentication failure278 # give an HTTP 401 for authentication failure
272 print 'Status: 401 Unauthorized'279 print 'Status: 401 Unauthorized'
273280
=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py 2015-04-24 00:42:33 +0000
+++ Mailman/Cgi/subscribe.py 2015-06-23 17:44:49 +0000
@@ -118,9 +118,10 @@
118 # Canonicalize the full name118 # Canonicalize the full name
119 fullname = Utils.canonstr(fullname, lang)119 fullname = Utils.canonstr(fullname, lang)
120 # Who was doing the subscribing?120 # Who was doing the subscribing?
121 remote = os.environ.get('REMOTE_HOST',121 remote = os.environ.get('HTTP_FORWARDED_FOR',
122 os.environ.get('REMOTE_ADDR',122 os.environ.get('HTTP_X_FORWARDED_FOR',
123 'unidentified origin'))123 os.environ.get('REMOTE_ADDR',
124 'unidentified origin')))
124 # Are we checking the hidden data?125 # Are we checking the hidden data?
125 if mm_cfg.SUBSCRIBE_FORM_SECRET:126 if mm_cfg.SUBSCRIBE_FORM_SECRET:
126 now = int(time.time())127 now = int(time.time())
127128
=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py 2015-05-01 16:14:08 +0000
+++ Mailman/Utils.py 2015-06-23 17:44:49 +0000
@@ -262,7 +262,11 @@
262 if path:262 if path:
263 if CRNLpat.search(path):263 if CRNLpat.search(path):
264 path = CRNLpat.split(path)[0]264 path = CRNLpat.split(path)[0]
265 syslog('error', 'Warning: Possible malformed path attack.')265 remote = os.environ.get('HTTP_FORWARDED_FOR',
266 os.environ.get('HTTP_X_FORWARDED_FOR',
267 os.environ.get('REMOTE_ADDR',
268 'unidentified origin')))
269 syslog('error', 'Warning: Possible malformed path attack domain=%s remote=%s', get_domain(), remote)
266 return [p for p in path.split('/') if p]270 return [p for p in path.split('/') if p]
267 return None271 return None
268272