diff options
Diffstat (limited to 'python/werkzeug/middleware/proxy_fix.py')
| -rw-r--r-- | python/werkzeug/middleware/proxy_fix.py | 228 |
1 files changed, 0 insertions, 228 deletions
diff --git a/python/werkzeug/middleware/proxy_fix.py b/python/werkzeug/middleware/proxy_fix.py deleted file mode 100644 index dc1dacc..0000000 --- a/python/werkzeug/middleware/proxy_fix.py +++ /dev/null @@ -1,228 +0,0 @@ -""" -X-Forwarded-For Proxy Fix -========================= - -This module provides a middleware that adjusts the WSGI environ based on -``X-Forwarded-`` headers that proxies in front of an application may -set. - -When an application is running behind a proxy server, WSGI may see the -request as coming from that server rather than the real client. Proxies -set various headers to track where the request actually came from. - -This middleware should only be applied if the application is actually -behind such a proxy, and should be configured with the number of proxies -that are chained in front of it. Not all proxies set all the headers. -Since incoming headers can be faked, you must set how many proxies are -setting each header so the middleware knows what to trust. - -.. autoclass:: ProxyFix - -:copyright: 2007 Pallets -:license: BSD-3-Clause -""" -import warnings - - -class ProxyFix(object): - """Adjust the WSGI environ based on ``X-Forwarded-`` that proxies in - front of the application may set. - - - ``X-Forwarded-For`` sets ``REMOTE_ADDR``. - - ``X-Forwarded-Proto`` sets ``wsgi.url_scheme``. - - ``X-Forwarded-Host`` sets ``HTTP_HOST``, ``SERVER_NAME``, and - ``SERVER_PORT``. - - ``X-Forwarded-Port`` sets ``HTTP_HOST`` and ``SERVER_PORT``. - - ``X-Forwarded-Prefix`` sets ``SCRIPT_NAME``. - - You must tell the middleware how many proxies set each header so it - knows what values to trust. It is a security issue to trust values - that came from the client rather than a proxy. - - The original values of the headers are stored in the WSGI - environ as ``werkzeug.proxy_fix.orig``, a dict. - - :param app: The WSGI application to wrap. - :param x_for: Number of values to trust for ``X-Forwarded-For``. - :param x_proto: Number of values to trust for ``X-Forwarded-Proto``. - :param x_host: Number of values to trust for ``X-Forwarded-Host``. - :param x_port: Number of values to trust for ``X-Forwarded-Port``. - :param x_prefix: Number of values to trust for - ``X-Forwarded-Prefix``. - :param num_proxies: Deprecated, use ``x_for`` instead. - - .. code-block:: python - - from werkzeug.middleware.proxy_fix import ProxyFix - # App is behind one proxy that sets the -For and -Host headers. - app = ProxyFix(app, x_for=1, x_host=1) - - .. versionchanged:: 0.15 - All headers support multiple values. The ``num_proxies`` - argument is deprecated. Each header is configured with a - separate number of trusted proxies. - - .. versionchanged:: 0.15 - Original WSGI environ values are stored in the - ``werkzeug.proxy_fix.orig`` dict. ``orig_remote_addr``, - ``orig_wsgi_url_scheme``, and ``orig_http_host`` are deprecated - and will be removed in 1.0. - - .. versionchanged:: 0.15 - Support ``X-Forwarded-Port`` and ``X-Forwarded-Prefix``. - - .. versionchanged:: 0.15 - ``X-Fowarded-Host`` and ``X-Forwarded-Port`` modify - ``SERVER_NAME`` and ``SERVER_PORT``. - """ - - def __init__( - self, app, num_proxies=None, x_for=1, x_proto=0, x_host=0, x_port=0, x_prefix=0 - ): - self.app = app - self.x_for = x_for - self.x_proto = x_proto - self.x_host = x_host - self.x_port = x_port - self.x_prefix = x_prefix - self.num_proxies = num_proxies - - @property - def num_proxies(self): - """The number of proxies setting ``X-Forwarded-For`` in front - of the application. - - .. deprecated:: 0.15 - A separate number of trusted proxies is configured for each - header. ``num_proxies`` maps to ``x_for``. This method will - be removed in 1.0. - - :internal: - """ - warnings.warn( - "'num_proxies' is deprecated as of version 0.15 and will be" - " removed in version 1.0. Use 'x_for' instead.", - DeprecationWarning, - stacklevel=2, - ) - return self.x_for - - @num_proxies.setter - def num_proxies(self, value): - if value is not None: - warnings.warn( - "'num_proxies' is deprecated as of version 0.15 and" - " will be removed in version 1.0. Use 'x_for' instead.", - DeprecationWarning, - stacklevel=2, - ) - self.x_for = value - - def get_remote_addr(self, forwarded_for): - """Get the real ``remote_addr`` by looking backwards ``x_for`` - number of values in the ``X-Forwarded-For`` header. - - :param forwarded_for: List of values parsed from the - ``X-Forwarded-For`` header. - :return: The real ``remote_addr``, or ``None`` if there were not - at least ``x_for`` values. - - .. deprecated:: 0.15 - This is handled internally for each header. This method will - be removed in 1.0. - - .. versionchanged:: 0.9 - Use ``num_proxies`` instead of always picking the first - value. - - .. versionadded:: 0.8 - """ - warnings.warn( - "'get_remote_addr' is deprecated as of version 0.15 and" - " will be removed in version 1.0. It is now handled" - " internally for each header.", - DeprecationWarning, - ) - return self._get_trusted_comma(self.x_for, ",".join(forwarded_for)) - - def _get_trusted_comma(self, trusted, value): - """Get the real value from a comma-separated header based on the - configured number of trusted proxies. - - :param trusted: Number of values to trust in the header. - :param value: Header value to parse. - :return: The real value, or ``None`` if there are fewer values - than the number of trusted proxies. - - .. versionadded:: 0.15 - """ - if not (trusted and value): - return - values = [x.strip() for x in value.split(",")] - if len(values) >= trusted: - return values[-trusted] - - def __call__(self, environ, start_response): - """Modify the WSGI environ based on the various ``Forwarded`` - headers before calling the wrapped application. Store the - original environ values in ``werkzeug.proxy_fix.orig_{key}``. - """ - environ_get = environ.get - orig_remote_addr = environ_get("REMOTE_ADDR") - orig_wsgi_url_scheme = environ_get("wsgi.url_scheme") - orig_http_host = environ_get("HTTP_HOST") - environ.update( - { - "werkzeug.proxy_fix.orig": { - "REMOTE_ADDR": orig_remote_addr, - "wsgi.url_scheme": orig_wsgi_url_scheme, - "HTTP_HOST": orig_http_host, - "SERVER_NAME": environ_get("SERVER_NAME"), - "SERVER_PORT": environ_get("SERVER_PORT"), - "SCRIPT_NAME": environ_get("SCRIPT_NAME"), - }, - # todo: remove deprecated keys - "werkzeug.proxy_fix.orig_remote_addr": orig_remote_addr, - "werkzeug.proxy_fix.orig_wsgi_url_scheme": orig_wsgi_url_scheme, - "werkzeug.proxy_fix.orig_http_host": orig_http_host, - } - ) - - x_for = self._get_trusted_comma(self.x_for, environ_get("HTTP_X_FORWARDED_FOR")) - if x_for: - environ["REMOTE_ADDR"] = x_for - - x_proto = self._get_trusted_comma( - self.x_proto, environ_get("HTTP_X_FORWARDED_PROTO") - ) - if x_proto: - environ["wsgi.url_scheme"] = x_proto - - x_host = self._get_trusted_comma( - self.x_host, environ_get("HTTP_X_FORWARDED_HOST") - ) - if x_host: - environ["HTTP_HOST"] = x_host - parts = x_host.split(":", 1) - environ["SERVER_NAME"] = parts[0] - if len(parts) == 2: - environ["SERVER_PORT"] = parts[1] - - x_port = self._get_trusted_comma( - self.x_port, environ_get("HTTP_X_FORWARDED_PORT") - ) - if x_port: - host = environ.get("HTTP_HOST") - if host: - parts = host.split(":", 1) - host = parts[0] if len(parts) == 2 else host - environ["HTTP_HOST"] = "%s:%s" % (host, x_port) - environ["SERVER_PORT"] = x_port - - x_prefix = self._get_trusted_comma( - self.x_prefix, environ_get("HTTP_X_FORWARDED_PREFIX") - ) - if x_prefix: - environ["SCRIPT_NAME"] = x_prefix - - return self.app(environ, start_response) |