From mboxrd@z Thu Jan 1 00:00:00 1970 Delivered-To: chneukirchen@gmail.com Received: by 10.86.23.1 with SMTP id 1cs190829fgw; Sun, 13 Sep 2009 15:44:53 -0700 (PDT) Received-SPF: pass (google.com: domain of grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com designates 10.150.117.26 as permitted sender) client-ip=10.150.117.26; Authentication-Results: mr.google.com; spf=pass (google.com: domain of grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com designates 10.150.117.26 as permitted sender) smtp.mail=grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com; dkim=pass header.i=grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com Received: from mr.google.com ([10.150.117.26]) by 10.150.117.26 with SMTP id p26mr12683633ybc.30.1252881892517 (num_hops = 1); Sun, 13 Sep 2009 15:44:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=beta; h=domainkey-signature:received:received:x-sender:x-apparently-to :received:received:received:received-spf:received:received:received :from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id:reply-to:sender :precedence:x-google-loop:mailing-list:list-id:list-post:list-help :list-unsubscribe:x-beenthere-env:x-beenthere; bh=+yv4x0L6re0j0pPpztsJd7IWj2bq8UKLf6GcxK3h/Us=; b=P2BOoMfTNvswiRRrQGDGW2voN12jdXYjduV2+leraPGBDd7ZvPjlcbbc2g3E5XFF9E JTLIavJggsyumUJoV4BXdS8/nCYdlTYBopn4fM5DDl5nG7SbGBbST8pnS9FSgB63+taG gYFdUB/q5jPKir3DSXXJsofU/Yj9UxAoFHA/E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlegroups.com; s=beta; h=x-sender:x-apparently-to:received-spf:authentication-results:from :to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id:reply-to:sender :precedence:x-google-loop:mailing-list:list-id:list-post:list-help :list-unsubscribe:x-beenthere-env:x-beenthere; b=fsFavkTHUnBxdldix9oHMKGiQ3xShm5dj9F4LmuuUiE01YxpzMMbFwrarOOCRbu+lc IWAjznEJxCFiVcHcBKJfu91CMoGRwPZaNR+p5eZ2mc31WcbuivyPJf9vwlg5CXyqmzt3 Mrs6k/ZHS4YDXjZmL3zSHL8znocN0Rp0k6ScE= Received: by 10.150.117.26 with SMTP id p26mr1603172ybc.30.1252881892469; Sun, 13 Sep 2009 15:44:52 -0700 (PDT) Received: by 10.176.233.14 with SMTP id f14gr1664yqh.0; Sun, 13 Sep 2009 15:44:50 -0700 (PDT) X-Sender: ibc@aliax.net X-Apparently-To: rack-devel@googlegroups.com Received: by 10.204.163.1 with SMTP id y1mr84916bkx.25.1252881888372; Sun, 13 Sep 2009 15:44:48 -0700 (PDT) Received: by 10.204.163.1 with SMTP id y1mr84914bkx.25.1252881887401; Sun, 13 Sep 2009 15:44:47 -0700 (PDT) Return-Path: Received: from mail-fx0-f207.google.com (mail-fx0-f207.google.com [209.85.220.207]) by gmr-mx.google.com with ESMTP id 15si559193bwz.2.2009.09.13.15.44.47; Sun, 13 Sep 2009 15:44:47 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.220.207 is neither permitted nor denied by best guess record for domain of ibc@aliax.net) client-ip=209.85.220.207; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 209.85.220.207 is neither permitted nor denied by best guess record for domain of ibc@aliax.net) smtp.mail=ibc@aliax.net Received: by fxm3 with SMTP id 3so1795684fxm.8 for ; Sun, 13 Sep 2009 15:44:47 -0700 (PDT) Received: by 10.86.181.6 with SMTP id d6mr4318580fgf.29.1252881886994; Sun, 13 Sep 2009 15:44:46 -0700 (PDT) Return-Path: Received: from ibc-laptop.localnet (202.216.218.87.dynamic.jazztel.es [87.218.216.202]) by mx.google.com with ESMTPS id 12sm149358fgg.13.2009.09.13.15.44.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 13 Sep 2009 15:44:46 -0700 (PDT) From: =?iso-8859-1?q?I=F1aki_Baz_Castillo?= To: rack-devel@googlegroups.com Subject: Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header Date: Mon, 14 Sep 2009 00:44:44 +0200 User-Agent: KMail/1.12.1 (Linux/2.6.28-15-generic; KDE/4.3.1; x86_64; ; ) References: <200909131752.14504.ibc@aliax.net> <200909140008.35571.ibc@aliax.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200909140044.44392.ibc@aliax.net> Reply-To: rack-devel@googlegroups.com Sender: rack-devel@googlegroups.com Precedence: bulk X-Google-Loop: groups Mailing-List: list rack-devel@googlegroups.com; contact rack-devel+owner@googlegroups.com List-Id: List-Post: List-Help: List-Unsubscribe: , X-BeenThere-Env: rack-devel@googlegroups.com X-BeenThere: rack-devel@googlegroups.com El Lunes, 14 de Septiembre de 2009, Aman Gupta escribi=F3: > Overwriting env['REMOTE_ADDR'] with X-Forwarded-For is not a good > idea, because the X-Forwarded-For header can be forged by the client. True. In case of a scenario with http proxy, the proxy must insert that header an= d=20 ensure to delete existing ones (probably spoofed by the client). But if Thin runs alone (no proxy) and receives a spoofed request with "X- =46orwarded-For" then it will fail when logging SERVER_ADDR. And it can be = a=20 security risk! =2D-=20 I=F1aki Baz Castillo