Files
@ f08fbf424898
Branch filter:
Location: kallithea/.coveragerc - annotation
f08fbf424898
823 B
text/plain
auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header
The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .
Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.
Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .
Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.
Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef ddee465a345a 7790b34a0cef 7790b34a0cef 7790b34a0cef 0acb46763886 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 0acb46763886 0acb46763886 0acb46763886 0acb46763886 | [run]
omit =
# the bin scripts are not part of the Kallithea web app
kallithea/bin/*
# we ship with no active extensions
kallithea/config/rcextensions/*
# dbmigrate is not a part of the Kallithea web app
kallithea/lib/dbmigrate/*
# the tests themselves should not be part of the coverage report
kallithea/tests/*
# same omit lines should be present in sections 'run' and 'report'
[report]
omit =
# the bin scripts are not part of the Kallithea web app
kallithea/bin/*
# we ship with no active extensions
kallithea/config/rcextensions/*
# dbmigrate is not a part of the Kallithea web app
kallithea/lib/dbmigrate/*
# the tests themselves should not be part of the coverage report
kallithea/tests/*
[paths]
source =
kallithea/
**/workspace/*/kallithea
|