Files
@ f08fbf424898
Branch filter:
Location: kallithea/scripts/generate-ini.py - annotation
f08fbf424898
2.1 KiB
text/x-python
auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header
The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .
Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.
Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .
Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.
Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
aa6f17a53b49 06d5c043e989 495dea7c2a13 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 e3cce237d77c e3cce237d77c 0a277465fddf 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 fc6b1b0e1096 06d5c043e989 bbf7be28a11e 06d5c043e989 609d52bbf917 609d52bbf917 06d5c043e989 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 94f6b23e52d0 a8e6bb9ee9ea 665dfa112f2c 06d5c043e989 6eb1f66ac23f 06d5c043e989 a8e6bb9ee9ea 665dfa112f2c 06d5c043e989 ef9fd1434270 ef9fd1434270 ef9fd1434270 ef9fd1434270 ef9fd1434270 ef9fd1434270 ef9fd1434270 06d5c043e989 d06039dc4ca2 a8e6bb9ee9ea 94f6b23e52d0 94f6b23e52d0 06d5c043e989 06d5c043e989 06d5c043e989 | #!/usr/bin/env python3
"""
Generate development.ini based on the ini template.
"""
import re
from kallithea.lib import inifile
# files to be generated from the mako template
ini_files = [
('development.ini',
{
'[server:main]': {
'host': '0.0.0.0',
},
'[app:main]': {
'debug': 'true',
'app_instance_uuid': 'development-not-secret',
'session.secret': 'development-not-secret',
},
'[logger_root]': {
'handlers': 'console_color',
},
'[logger_routes]': {
'level': 'DEBUG',
},
'[logger_beaker]': {
'level': 'DEBUG',
},
'[logger_templates]': {
'level': 'INFO',
},
'[logger_kallithea]': {
'level': 'DEBUG',
},
'[logger_tg]': {
'level': 'DEBUG',
},
'[logger_gearbox]': {
'level': 'DEBUG',
},
'[logger_whoosh_indexer]': {
'level': 'DEBUG',
},
},
),
]
def main():
# make sure all mako lines starting with '#' (the '##' comments) are marked up as <text>
makofile = inifile.template_file
print('reading:', makofile)
mako_org = open(makofile).read()
mako_no_text_markup = re.sub(r'</?%text>', '', mako_org)
mako_marked_up = re.sub(r'\n##(.*)', r'\n<%text>##</%text>\1', mako_no_text_markup, flags=re.MULTILINE)
if mako_marked_up != mako_org:
print('writing:', makofile)
open(makofile, 'w').write(mako_marked_up)
lines = re.findall(r'\n(# [^ ].*)', mako_marked_up)
if lines:
print('ERROR: the template .ini file convention is to use "## Foo Bar" for text comments and "#foo = bar" for disabled settings')
for line in lines:
print(line)
raise SystemExit(1)
# create ini files
for fn, settings in ini_files:
print('updating:', fn)
inifile.create(fn, None, settings)
if __name__ == '__main__':
main()
|