Edgewall Software

Ticket #3211 (new defect)

Opened 2 years ago

Last modified 9 months ago

IP check too strict

Reported by: bbrazil Owned by: jonas
Priority: low Milestone: 2.0
Component: general Version: devel
Severity: normal Keywords: consider
Cc: dalius@…

Description

In trac/web/auth.py the IP check against cookies/sessions requries the exact same IP. This doesn't work for NAT over multiple IP addresses, or using multiple proxies which makes login impossible. The solution is to check only the /24.

Patch (implementation by Dinko Korunic): 

--- trac/web/auth.py    (revision 3356)
+++ trac/web/auth.py    (working copy)
@@ -166,9 +166,11 @@
        db = self.env.get_db_cnx()
        cursor = db.cursor()
        if self.check_ip:
+            ipaddr = '.'.join(req.remote_addr.split('.')[:-1])
+            ipaddr = ipaddr + '%'
            cursor.execute("SELECT name FROM auth_cookie "
-                           "WHERE cookie=%s AND ipnr=%s",
-                           (cookie.value, req.remote_addr))
+                           "WHERE cookie=%s AND ipnr LIKE %s",
+                           (cookie.value, ipaddr))
        else:
            cursor.execute("SELECT name FROM auth_cookie WHERE cookie=%s",
                           (cookie.value,))

This is related to #1485

Attachments

Change History

Changed 2 years ago by eblot

  • milestone 0.9.6 deleted

Assuming that the subnet is defined as 24.8 is network-specific.

This kind of hardcoded value cannot be used as-is.

Changed 2 years ago by coderanger

This can already be controled with the check_auth_ip option.

Changed 2 years ago by Dinko Korunic <dinko.korunic@…>

No, it cannot be controlled. There is a big difference between completely turning off the IP cookie check (via check_auth_ip) and comparing a part of IP address (and being less prone to cookie-based attacks).

Changed 2 years ago by Dinko Korunic <dinko.korunic@…>

Anyway, I absolutely agree that idea to hardcode /24 check is bad - I presume there shouldn't be to complex to add one more config notification setting which will define netmask width and use it here.

Changed 17 months ago by cboos

  • keywords consider added
  • priority changed from normal to low
  • milestone set to 2.0

A patch would probably help to revive this issue...

Changed 9 months ago by Dalius Dobravolskas

Here is alternate fix using mask. It is a little bit better than proposed because it is configurable to use either strict IP check or /24. By default it is /24 (mask=255.255.255.0).

My fix is for trac OpenID authentication plugin (http://trac-hacks.org/wiki/AuthOpenIdPlugin) but I'm pretty sure it is not hard to adapt my fix to original Trac. Here is diff: http://hg.sandbox.lt/authopenid-plugin/rev/7f795537f6d2

Changed 9 months ago by Dalius Dobravolskas

  • cc dalius@… added

Add/Change #3211 (IP check too strict)

Author



Change Properties
<Author field>
Action
as new
as The resolution will be set. Next status will be 'closed'
to The owner will change. Next status will be 'new'
The owner will change to anonymous. Next status will be 'assigned'
 
Note: See TracTickets for help on using tickets.