[Seaside-dev] Seaside 2.8 WAUrl>>takeParametersFromRequest:
X-Forwarded-Host
Philippe Marschall
philippe.marschall at gmail.com
Tue Mar 25 05:58:20 UTC 2008
2008/3/25, Randal L. Schwartz <merlyn at stonehenge.com>:
> >>>>> "Michael" == Michael Lucas-Smith <mlucas-smith at cincom.com> writes:
>
> Michael> It came to our attention that the #takeParametersFromRequest: method,
> Michael> which rightly grabs the host, doesn't grab x-forwarded-host when it
> Michael> is available. That means that the URLs put out by the anchor tag and
> Michael> other such things will point to the internal address of the server
> Michael> instead of the external address.
>
> Beware of trusting x-forwarded-host unless you *know* the request
> is coming from the right host though.
Which would either be 127.0.0.1 or localhost. WASessionProtector has
the same problem. I repeat my proposal to move #remoteAddress to
WARequest, currently it has to be accessed through #nativeRequest.
Cheers
Philippe
More information about the seaside-dev
mailing list