From: David Wilemski Date: Thu, 18 Apr 2013 18:20:37 +0000 (-0400) Subject: support ip lists in X-Forwarded-For headers X-Git-Tag: v3.1.0~102^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F745%2Fhead;p=thirdparty%2Ftornado.git support ip lists in X-Forwarded-For headers --- diff --git a/tornado/httpserver.py b/tornado/httpserver.py index 16472fa44..f597737a0 100644 --- a/tornado/httpserver.py +++ b/tornado/httpserver.py @@ -431,8 +431,10 @@ class HTTPRequest(object): # xheaders can override the defaults if connection and connection.xheaders: # Squid uses X-Forwarded-For, others use X-Real-Ip + ip = self.headers.get("X-Forwarded-For", self.remote_ip) + ip = ip.split(',')[-1].strip() ip = self.headers.get( - "X-Real-Ip", self.headers.get("X-Forwarded-For", self.remote_ip)) + "X-Real-Ip", ip) if netutil.is_valid_ip(ip): self.remote_ip = ip # AWS uses X-Forwarded-Proto diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py index ba23a15ba..6f53c3af6 100644 --- a/tornado/test/httpserver_test.py +++ b/tornado/test/httpserver_test.py @@ -397,16 +397,31 @@ class XHeaderTest(HandlerBaseTestCase): self.fetch_json("/", headers=valid_ipv4)["remote_ip"], "4.4.4.4") + valid_ipv4_list = {"X-Forwarded-For": "127.0.0.1, 4.4.4.4"} + self.assertEqual( + self.fetch_json("/", headers=valid_ipv4_list)["remote_ip"], + "4.4.4.4") + valid_ipv6 = {"X-Real-IP": "2620:0:1cfe:face:b00c::3"} self.assertEqual( self.fetch_json("/", headers=valid_ipv6)["remote_ip"], "2620:0:1cfe:face:b00c::3") + valid_ipv6_list = {"X-Forwarded-For": "::1, 2620:0:1cfe:face:b00c::3"} + self.assertEqual( + self.fetch_json("/", headers=valid_ipv6_list)["remote_ip"], + "2620:0:1cfe:face:b00c::3") + invalid_chars = {"X-Real-IP": "4.4.4.4