From 0635284834f18601e868c96244bc61702eade310 Mon Sep 17 00:00:00 2001 From: David Wilemski Date: Sat, 17 Dec 2011 14:45:59 -0500 Subject: [PATCH 1/2] Fix for bug #392 Validates the remote_ip from xheaders using socket.inet_pton --- tornado/httpserver.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tornado/httpserver.py b/tornado/httpserver.py index 74f1a8ac..13580159 100644 --- a/tornado/httpserver.py +++ b/tornado/httpserver.py @@ -362,6 +362,8 @@ class HTTPRequest(object): # Squid uses X-Forwarded-For, others use X-Real-Ip self.remote_ip = self.headers.get( "X-Real-Ip", self.headers.get("X-Forwarded-For", remote_ip)) + if not self.__valid_ip(self.remote_ip): + self.remote_ip = remote_ip # AWS uses X-Forwarded-Proto self.protocol = self.headers.get( "X-Scheme", self.headers.get("X-Forwarded-Proto", protocol)) @@ -457,3 +459,14 @@ class HTTPRequest(object): args = ", ".join(["%s=%r" % (n, getattr(self, n)) for n in attrs]) return "%s(%s, headers=%s)" % ( self.__class__.__name__, args, dict(self.headers)) + + def __valid_ip(self, ip): + try: + address = socket.inet_pton(socket.AF_INET, ip) + except socket.error: + try: + address = socket.inet_pton(socket.AF_INET6, ip) + except socket.error: + return False + + return True From 4f64fbe99bc7cf6d4e8cdaaf04e6f467dca61a89 Mon Sep 17 00:00:00 2001 From: David Wilemski Date: Sat, 17 Dec 2011 14:48:23 -0500 Subject: [PATCH 2/2] A typo fix I noticed while fixing bug 392 --- tornado/httpserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tornado/httpserver.py b/tornado/httpserver.py index 13580159..10723590 100644 --- a/tornado/httpserver.py +++ b/tornado/httpserver.py @@ -322,7 +322,7 @@ class HTTPRequest(object): .. attribute:: protocol The protocol used, either "http" or "https". If `HTTPServer.xheaders` - is seet, will pass along the protocol used by a load balancer if + is set, will pass along the protocol used by a load balancer if reported via an ``X-Scheme`` header. .. attribute:: host