I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
Interesting. Why would it have two x-forwarded-for addresses? In other words, what is the meaning of the other address? Which address should be used?
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
Here is what I have found:
"If a request has passed through multiple proxies then the X-Forwarded-For may contain several IPs like this:
X-Forwarded-For: client1, proxy1, proxy2"
http://www.openinfo.co.uk/apache/index.html
And this appears to be true for the one example I have seen. So fundamentally I think you simply need to look the first quad and ignore the rest. At the same time, if it is non-blank, but you can't extract the host address, you probably should treat it as if the x-forwarded-for header is simply non-existent.
Ken
On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
Interesting. Why would it have two x-forwarded-for addresses? In other words, what is the meaning of the other address? Which address should be used?
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
Ah. That should be pretty easy to fix. I'm a bit busy right now, but I should be able to get to it soon.
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 05:51:10PM -0600, Ken Causey wrote:
Here is what I have found:
"If a request has passed through multiple proxies then the X-Forwarded-For may contain several IPs like this:
X-Forwarded-For: client1, proxy1, proxy2"
http://www.openinfo.co.uk/apache/index.html
And this appears to be true for the one example I have seen. So fundamentally I think you simply need to look the first quad and ignore the rest. At the same time, if it is non-blank, but you can't extract the host address, you probably should treat it as if the x-forwarded-for header is simply non-existent.
Ken
On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
Interesting. Why would it have two x-forwarded-for addresses? In other words, what is the meaning of the other address? Which address should be used?
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
Hi Ken,
I was finally able to get somebody to help me check this. I have a fix. I'm attaching it.
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 05:51:10PM -0600, Ken Causey wrote:
Here is what I have found:
"If a request has passed through multiple proxies then the X-Forwarded-For may contain several IPs like this:
X-Forwarded-For: client1, proxy1, proxy2"
http://www.openinfo.co.uk/apache/index.html
And this appears to be true for the one example I have seen. So fundamentally I think you simply need to look the first quad and ignore the rest. At the same time, if it is non-blank, but you can't extract the host address, you probably should treat it as if the x-forwarded-for header is simply non-existent.
Ken
On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
Interesting. Why would it have two x-forwarded-for addresses? In other words, what is the meaning of the other address? Which address should be used?
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
Thank you, I believe that does fix the immediate problem. I will notify squeak-dev and request confirmation from those that had trouble.
One comment however. This still assumes that the x-forwarded-for header, if it exists, is non-pathological. Should you not confirm that you get something that is truly IP-address-like and if not ignore the header?
But perhaps I'm asking too much. What are the chances that a valid browsing user is going to have a pathological x-forwarded-for header. Perhaps too small to be of interest.
In any case, thanks!
Ken
On Tue, 2007-01-30 at 16:05 -0500, Jochen F. Rick wrote:
Hi Ken,
I was finally able to get somebody to help me check this. I have a fix. I'm attaching it.
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 05:51:10PM -0600, Ken Causey wrote:
Here is what I have found:
"If a request has passed through multiple proxies then the X-Forwarded-For may contain several IPs like this:
X-Forwarded-For: client1, proxy1, proxy2"
http://www.openinfo.co.uk/apache/index.html
And this appears to be true for the one example I have seen. So fundamentally I think you simply need to look the first quad and ignore the rest. At the same time, if it is non-blank, but you can't extract the host address, you probably should treat it as if the x-forwarded-for header is simply non-existent.
Ken
On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
Interesting. Why would it have two x-forwarded-for addresses? In other words, what is the meaning of the other address? Which address should be used?
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
Well. I guess the real point is whether you trust the apache server that is doing the forward. If you do, then the x-forwarded-for header should be in good condition.
Peace and Luck!
Jeff
On Wed, Jan 31, 2007 at 02:50:13PM -0600, Ken Causey wrote:
Thank you, I believe that does fix the immediate problem. I will notify squeak-dev and request confirmation from those that had trouble.
One comment however. This still assumes that the x-forwarded-for header, if it exists, is non-pathological. Should you not confirm that you get something that is truly IP-address-like and if not ignore the header?
But perhaps I'm asking too much. What are the chances that a valid browsing user is going to have a pathological x-forwarded-for header. Perhaps too small to be of interest.
In any case, thanks!
Ken
On Tue, 2007-01-30 at 16:05 -0500, Jochen F. Rick wrote:
Hi Ken,
I was finally able to get somebody to help me check this. I have a fix. I'm attaching it.
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 05:51:10PM -0600, Ken Causey wrote:
Here is what I have found:
"If a request has passed through multiple proxies then the X-Forwarded-For may contain several IPs like this:
X-Forwarded-For: client1, proxy1, proxy2"
http://www.openinfo.co.uk/apache/index.html
And this appears to be true for the one example I have seen. So fundamentally I think you simply need to look the first quad and ignore the rest. At the same time, if it is non-blank, but you can't extract the host address, you probably should treat it as if the x-forwarded-for header is simply non-existent.
Ken
On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
Interesting. Why would it have two x-forwarded-for addresses? In other words, what is the meaning of the other address? Which address should be used?
Peace and Luck!
Jeff
On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
I have been debugging the reported problems accessing the wiki.squeak.org wiki for those behind a proxy. I have tracked it down to the implementation of HttpRequest>>initProxyForwarding in the image. It assumes that if an x-forwarded for header exists that it is a single IP address. This appears to be a poor assumption. For example:
x-forwarded-for: 74.141.6.178, 62.90.138.162
I have not so far been able to track down documentation to confirm whether or not this is 'officially' valid. Nonetheless Swiki should probably not fail when this assumption is invalid.
Ken
box-admins@lists.squeakfoundation.org