[Mailman-Users] HTTP_X_FORWARDED_FOR logging support

Jim Popovitch jimpop at gmail.com
Mon Jun 22 19:24:55 CEST 2015 

Hello,

I'm looking for feedback on the attached patch which adds support for
logging the real client IP address when Mailman is behind a proxy.

I'm also looking for feedback on the use of REMOTE_ADDR instead of REMOTE_HOST.

Ex:

-    remote = os.environ.get('REMOTE_HOST',
+   remote = os.environ.get('HTTP_X_FORWARDED_FOR',
                             os.environ.get('REMOTE_ADDR',
                                            'unidentified origin'))


Thanks!!

-Jim P.
-------------- next part --------------
=== modified file 'Mailman/Cgi/listinfo.py'
--- Mailman/Cgi/listinfo.py	2015-05-06 15:07:08 +0000
+++ Mailman/Cgi/listinfo.py	2015-06-20 21:11:21 +0000
@@ -186,7 +186,7 @@
         'subscribe')
     if mm_cfg.SUBSCRIBE_FORM_SECRET:
         now = str(int(time.time()))
-        remote = os.environ.get('REMOTE_HOST',
+        remote = os.environ.get('HTTP_X_FORWARDED_FOR',
                                 os.environ.get('REMOTE_ADDR',
                                                'w.x.y.z'))
         # Try to accept a range in case of load balancers, etc.  (LP: #1447445)

=== modified file 'Mailman/Cgi/options.py'
--- Mailman/Cgi/options.py	2015-02-05 12:15:37 +0000
+++ Mailman/Cgi/options.py	2015-06-20 21:11:21 +0000
@@ -193,7 +193,7 @@
                     mlist.HoldUnsubscription(user)
                     doc.addError(msga, tag='')
                 else:
-                    ip = os.environ.get('REMOTE_ADDR')
+                    ip = os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR'))
                     mlist.ConfirmUnsubscription(user, userlang, remote=ip)
                     doc.addError(msgc, tag='')
                 mlist.Save()
@@ -264,7 +264,7 @@
             # So as not to allow membership leakage, prompt for the email
             # address and the password here.
             if mlist.private_roster <> 0:
-                remote = os.environ.get('REMOTE_HOST', os.environ.get('REMOTE_ADDR', 'unidentified origin'))
+                remote = os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR', 'unidentified origin'))
                 syslog('mischief',
                        'Login failure with private rosters: %s from %s',
                        user, remote)


=== modified file 'Mailman/Cgi/subscribe.py'
--- Mailman/Cgi/subscribe.py	2015-04-24 00:42:33 +0000
+++ Mailman/Cgi/subscribe.py	2015-06-20 21:11:21 +0000
@@ -118,7 +118,7 @@
     # Canonicalize the full name
     fullname = Utils.canonstr(fullname, lang)
     # Who was doing the subscribing?
-    remote = os.environ.get('REMOTE_HOST',
+    remote = os.environ.get('HTTP_X_FORWARDED_FOR',
                             os.environ.get('REMOTE_ADDR',
                                            'unidentified origin'))
     # Are we checking the hidden data?

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2015-05-06 15:07:08 +0000
+++ Mailman/Utils.py	2015-06-20 21:11:21 +0000
@@ -261,8 +261,9 @@
     path = os.environ.get(envar)
     if path:
         if CRNLpat.search(path):
+            client = os.environ.get('HTTP_X_FORWARDED_FOR', os.environ.get('REMOTE_ADDR')) 
             path = CRNLpat.split(path)[0]
-            syslog('error', 'Warning: Possible malformed path attack.')
+            syslog('error', 'Warning: Possible malformed path attack d=%s r=%s' % get_domain(), client)
         return [p for p in path.split('/') if p]
     return None

More information about the Mailman-Users mailing list