Zope 2

Security enhancement for reverse proxy setups

Bug #855649 reported by gabriel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Wishlist
Unassigned

Bug Description

Zope is typically deployed behind a reverse proxy. Therefore it is necessary to configure the trusted-proxy environment variable of zope.conf to resolve the client IP address from the "x-forwarded-for" header that is added by the proxy. Currently,
if the trusted-proxy ip address was mistyped zope ignores the "x-forwarded-for" header and sets the client IP address to the IP address of the proxy. The fallback to the IP address of the proxy could be a security problem if there are any security policies configuered (autorole etc.) based on the IP address of the client. We suggest that zope should raise an error if trusted-proxy environment is set but zope recieves a "x-forwarded-for" header from an untrusted proxy. The added patch supports this behavior.

Revision history for this message
gabriel (andreasgabriel) wrote :
Revision history for this message
Hanno Schlichting (hannosch) wrote :

Sounds reasonable to me.

Changed in zope2:
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.