From c6bccaaac0aa477e2f3a498888b8eb4d48d6075c Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Wed, 21 Mar 2018 11:48:18 +0530 Subject: [PATCH] Workaround security issues in django-axes Newer versions of Django axes have newly way to get the IP address of a client using ipware library. This has multiple security issues https://github.com/jazzband/django-axes/issues/286 . Workaround them by controlling the X-FORWARDED-FOR header sent from Apache to FreedomBox and by limiting the headers that ipware uses. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- data/etc/apache2/sites-available/plinth.conf | 8 ++++++++ plinth/__main__.py | 1 + 2 files changed, 9 insertions(+) diff --git a/data/etc/apache2/sites-available/plinth.conf b/data/etc/apache2/sites-available/plinth.conf index 689ab05fa..41d4dbc3a 100644 --- a/data/etc/apache2/sites-available/plinth.conf +++ b/data/etc/apache2/sites-available/plinth.conf @@ -11,4 +11,12 @@ ## Send the scheme from user's request to enable Plinth to redirect ## URLs, set cookies, set absolute URLs (if any) properly. RequestHeader set X-Forwarded-Proto 'https' env=HTTPS + + ## Ignore any X-FORWARDED-FOR headers sent by the client and their + ## proxies. Apache will still set this header with the remote + ## address of the client. Apache is the first and only trusted entry + ## point for FreedomBox. Any code that does not deal with this + ## header properly will remain safe. For example: + ## https://github.com/jazzband/django-axes/issues/286 + RequestHeader unset X-Forwarded-For diff --git a/plinth/__main__.py b/plinth/__main__.py index 380d206d6..990a213a2 100644 --- a/plinth/__main__.py +++ b/plinth/__main__.py @@ -273,6 +273,7 @@ def configure_django(): DEBUG=cfg.debug, FORCE_SCRIPT_NAME=cfg.server_dir, INSTALLED_APPS=applications, + IPWARE_META_PRECEDENCE_ORDER=('HTTP_X_FORWARDED_FOR',), LOGGING=logging_configuration, LOGIN_URL='users:login', LOGIN_REDIRECT_URL='index',