Edgewall Software
Modify

Opened 18 years ago

Closed 14 years ago

#3211 closed defect (wontfix)

IP check too strict

Reported by: bbrazil Owned by: Jonas Borgström
Priority: low Milestone:
Component: general Version: devel
Severity: normal Keywords: consider
Cc: dalius@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

In trac/web/auth.py the IP check against cookies/sessions requries the exact same IP. This doesn't work for NAT over multiple IP addresses, or using multiple proxies which makes login impossible. The solution is to check only the /24.

Patch (implementation by Dinko Korunic): 

--- trac/web/auth.py    (revision 3356)
+++ trac/web/auth.py    (working copy)
@@ -166,9 +166,11 @@
        db = self.env.get_db_cnx()
        cursor = db.cursor()
        if self.check_ip:
+            ipaddr = '.'.join(req.remote_addr.split('.')[:-1])
+            ipaddr = ipaddr + '%'
            cursor.execute("SELECT name FROM auth_cookie "
-                           "WHERE cookie=%s AND ipnr=%s",
-                           (cookie.value, req.remote_addr))
+                           "WHERE cookie=%s AND ipnr LIKE %s",
+                           (cookie.value, ipaddr))
        else:
            cursor.execute("SELECT name FROM auth_cookie WHERE cookie=%s",
                           (cookie.value,))

This is related to #1485

Attachments (0)

Change History (9)

comment:1 by Emmanuel Blot, 18 years ago

Milestone: 0.9.6

Assuming that the subnet is defined as 24.8 is network-specific.

This kind of hardcoded value cannot be used as-is.

comment:2 by coderanger, 18 years ago

This can already be controled with the check_auth_ip option.

comment:3 by Dinko Korunic <dinko.korunic@…>, 18 years ago

No, it cannot be controlled. There is a big difference between completely turning off the IP cookie check (via check_auth_ip) and comparing a part of IP address (and being less prone to cookie-based attacks).

comment:4 by Dinko Korunic <dinko.korunic@…>, 18 years ago

Anyway, I absolutely agree that idea to hardcode /24 check is bad - I presume there shouldn't be to complex to add one more config notification setting which will define netmask width and use it here.

comment:5 by Christian Boos, 17 years ago

Keywords: consider added
Milestone: 2.0
Priority: normallow

A patch would probably help to revive this issue…

comment:6 by Dalius Dobravolskas, 16 years ago

Here is alternate fix using mask. It is a little bit better than proposed because it is configurable to use either strict IP check or /24. By default it is /24 (mask=255.255.255.0).

My fix is for trac OpenID authentication plugin (http://trac-hacks.org/wiki/AuthOpenIdPlugin) but I'm pretty sure it is not hard to adapt my fix to original Trac. Here is diff: http://hg.sandbox.lt/authopenid-plugin/rev/7f795537f6d2

comment:7 by Dalius Dobravolskas, 16 years ago

Cc: dalius@… added

comment:8 by Christian Boos, 14 years ago

Milestone: 2.0unscheduled

Milestone 2.0 deleted

comment:9 by Remy Blank, 14 years ago

Milestone: triaging
Resolution: wontfix
Status: newclosed

check_auth_ip has been false by default for some time now, and solves the initial issue. I don't think adding subnet checking is worth the additional code and configuration complexity.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.