[Box-Admins] Re: I need Help (was Re: Squeak Wiki Problem)

Ken Causey ken at kencausey.com
Wed Jan 31 20:50:13 UTC 2007 

Thank you, I believe that does fix the immediate problem.  I will notify
squeak-dev and request confirmation from those that had trouble.

One comment however.  This still assumes that the x-forwarded-for
header, if it exists, is non-pathological.  Should you not confirm that
you get something that is truly IP-address-like and if not ignore the
header?

But perhaps I'm asking too much.  What are the chances that a valid
browsing user is going to have a pathological x-forwarded-for header.
Perhaps too small to be of interest.

In any case, thanks!

Ken

On Tue, 2007-01-30 at 16:05 -0500, Jochen F. Rick wrote:
> Hi Ken,
> 
> I was finally able to get somebody to help me check this. I have a fix. 
> I'm attaching it.
> 
> Peace and Luck!
> 
> Jeff
> 
> 
> On Thu, Jan 18, 2007 at 05:51:10PM -0600, Ken Causey wrote:
> > Here is what I have found:
> > 
> > "If a request has passed through multiple proxies then the
> > X-Forwarded-For may contain several IPs like this: 
> > 
> > X-Forwarded-For: client1, proxy1, proxy2"
> > 
> > http://www.openinfo.co.uk/apache/index.html
> > 
> > And this appears to be true for the one example I have seen.   So
> > fundamentally I think you simply need to look the first quad and ignore
> > the rest.  At the same time, if it is non-blank, but you can't extract
> > the host address, you probably should treat it as if the x-forwarded-for
> > header is simply non-existent.
> > 
> > Ken
> > 
> > On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
> > > Interesting. Why would it have two x-forwarded-for addresses? In other 
> > > words, what is the meaning of the other address? Which address should be 
> > > used?
> > > 
> > > Peace and Luck!
> > > 
> > > Jeff
> > > 
> > > 
> > > 
> > > On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
> > > > I have been debugging the reported problems accessing the
> > > > wiki.squeak.org wiki for those behind a proxy.  I have tracked it down
> > > > to the implementation of HttpRequest>>initProxyForwarding in the image.
> > > > It assumes that if an x-forwarded for header exists that it is a single
> > > > IP address.  This appears to be a poor assumption.  For example:
> > > > 
> > > > x-forwarded-for: 74.141.6.178, 62.90.138.162
> > > > 
> > > > I have not so far been able to track down documentation to confirm
> > > > whether or not this is 'officially' valid.  Nonetheless Swiki should
> > > > probably not fail when this assumption is invalid.
> > > > 
> > > > Ken
> > > 
> > > 
> > > 
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.squeakfoundation.org/pipermail/box-admins/attachments/20070131/097dd344/attachment.pgp

More information about the Box-Admins mailing list