Opened 19 years ago
Closed 14 years ago
#3211 closed defect (wontfix)
IP check too strict
Reported by: | bbrazil | Owned by: | Jonas Borgström |
---|---|---|---|
Priority: | low | Milestone: | |
Component: | general | Version: | devel |
Severity: | normal | Keywords: | consider |
Cc: | dalius@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
In trac/web/auth.py the IP check against cookies/sessions requries the exact same IP. This doesn't work for NAT over multiple IP addresses, or using multiple proxies which makes login impossible. The solution is to check only the /24.
Patch (implementation by Dinko Korunic):
--- trac/web/auth.py (revision 3356) +++ trac/web/auth.py (working copy) @@ -166,9 +166,11 @@ db = self.env.get_db_cnx() cursor = db.cursor() if self.check_ip: + ipaddr = '.'.join(req.remote_addr.split('.')[:-1]) + ipaddr = ipaddr + '%' cursor.execute("SELECT name FROM auth_cookie " - "WHERE cookie=%s AND ipnr=%s", - (cookie.value, req.remote_addr)) + "WHERE cookie=%s AND ipnr LIKE %s", + (cookie.value, ipaddr)) else: cursor.execute("SELECT name FROM auth_cookie WHERE cookie=%s", (cookie.value,))
This is related to #1485
Attachments (0)
Change History (9)
comment:1 by , 19 years ago
Milestone: | 0.9.6 |
---|
comment:3 by , 19 years ago
No, it cannot be controlled. There is a big difference between completely turning off the IP cookie check (via check_auth_ip) and comparing a part of IP address (and being less prone to cookie-based attacks).
comment:4 by , 19 years ago
Anyway, I absolutely agree that idea to hardcode /24 check is bad - I presume there shouldn't be to complex to add one more config notification setting which will define netmask width and use it here.
comment:5 by , 18 years ago
Keywords: | consider added |
---|---|
Milestone: | → 2.0 |
Priority: | normal → low |
A patch would probably help to revive this issue…
comment:6 by , 17 years ago
Here is alternate fix using mask. It is a little bit better than proposed because it is configurable to use either strict IP check or /24. By default it is /24 (mask=255.255.255.0).
My fix is for trac OpenID authentication plugin (http://trac-hacks.org/wiki/AuthOpenIdPlugin) but I'm pretty sure it is not hard to adapt my fix to original Trac. Here is diff: http://hg.sandbox.lt/authopenid-plugin/rev/7f795537f6d2
comment:7 by , 17 years ago
Cc: | added |
---|
comment:9 by , 14 years ago
Milestone: | triaging |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
check_auth_ip
has been false
by default for some time now, and solves the initial issue. I don't think adding subnet checking is worth the additional code and configuration complexity.
Assuming that the subnet is defined as 24.8 is network-specific.
This kind of hardcoded value cannot be used as-is.