registry: fix security of some RPC when serving behind proxy

7cdf00d7 · Julien Muchembled · 3b5d03e4 · 7cdf00d7
Commit 7cdf00d7 authored Dec 17, 2014 by Julien Muchembled
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

registry.py re6st/registry.py +7 -4

No files found.
--- a/re6st/registry.py
+++ b/re6st/registry.py
@@ -161,11 +161,14 @@ class RegistryServer(object):
            #       (IOW, do the contrary of newPrefix)
            self.timeout = not_after and not_after + GRACE_PERIOD

-    def handle_request(self, request, method, kw):
+    def handle_request(self, request, method, kw,
+                       _localhost=('127.0.0.1', '::1')):
        m = getattr(self, method)
-        if method in ('versions', 'topology',) and \
-           request.client_address[0] not in ('127.0.0.1', '::1'):
-            return request.send_error(httplib.FORBIDDEN)
+        if method in ('versions', 'topology'):
+            x_forwarded_for = request.headers.get('X-Forwarded-For')
+            if request.client_address[0] not in _localhost or \
+               x_forwarded_for and x_forwarded_for not in _localhost:
+                return request.send_error(httplib.FORBIDDEN)
        key = m.getcallargs(**kw).get('cn')
        if key:
            h = base64.b64decode(request.headers[HMAC_HEADER])