Files @ f08fbf424898
Branch filter:

Location: kallithea/scripts/run-all-cleanup

f08fbf424898 510 B text/plain Show Annotation Show as Raw Download as Raw
mads
auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header

The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .

Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.

Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#!/bin/sh

# Convenience script for running various idempotent source code cleanup scripts

set -e
set -x

hg files 'set:!binary()&grep("^#!.*python")' 'set:**.py' | xargs scripts/deps.py
dot -Tsvg deps.dot > deps.svg

scripts/docs-headings.py
scripts/generate-ini.py
scripts/whitespacecleanup.sh
hg files 'set:!binary()&grep("^#!.*python")' 'set:**.py' | xargs scripts/source_format.py

hg files 'set:!binary()&grep("^#!.*python")' 'set:**.py' | xargs scripts/pyflakes
echo "no blocking problems found by $0"
Server instance: clio-7831 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support