Pass X-Forwarded-For and X-Forwarded-Proto headers as

HTTP_X-FORWARDED-FOR and HTTP_X-FORWARDED-PROTO variables
in the tracker environment array.

Neither of these variables should be used by the code code unless
config.ini params are added to control their use.

I use the FORWARDED-FOR variable to disable the reCAPTCHA extenxaion
check if it is a local address using:

  if 'HTTP_X-FORWARDED-FOR' in self.client.env:
     # if proxied from client at local site, don't validate captcha
     # used for running automated tests.
     clientip=self.client.env['HTTP_X-FORWARDED-FOR'].split(',')[0]
     if clientip.startswith("192.168.10."):
         secret="none"

I run a front end web server that proxies over loopback to the running
roundup-server. So I feel I can trust the X-Forwarded-For header. In
other setup's that may not be true. Hence the requirement that it not
be used in core roundup code without allowing the roundup admin the
ability to disable it.

Author: rouilj

CHANGES.txt

@@ -209,6 +209,13 @@ Features:
   from the templating class to the hyperdb. (John Rouillard)
 - Improves diagnostics for mail processing: When using logging level = DEBUG,
   bounces and bounce problems are logged. (Bernhard Reiter)
+- In roundup-server, pass X-Forwarded-For and X-Forwarded-Proto
+  headers as the environment variables: HTTP_X-FORWARDED-FOR and
+  HTTP_X_FORWARDED_PROTO. If the user is running roundup server behind
+  a proxy, these headers allow the user to write extensions that can
+  figure out the original client ip and protocol. None of the core
+  roundup code uses these headers/env vars. These headers can be
+  spoofed by bad proxies etc. so you have been warned.
 
 Fixed:
 

roundup/scripts/roundup_server.py

@@ -375,9 +375,38 @@ def inner_run_cgi(self):
             env['HTTP_HOST'] = self.headers ['host']
         except KeyError:
             env['HTTP_HOST'] = ''
+        # https://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10
+        # headers.
         xfh = self.headers.getheader('X-Forwarded-Host', None)
         if xfh:
+            # If behind a proxy, this is the hostname supplied
+            # via the Host header to the proxy. Used by core code.
+            # Controlled by the CSRF settings.
             env['HTTP_X-FORWARDED-HOST'] = xfh
+        xff = self.headers.getheader('X-Forwarded-For', None)
+        if xff:
+            # xff is a list of ip addresses for original client/proxies:
+            # X-Forwarded-For: clientIP, proxy1IP, proxy2IP
+            # May not be trustworthy. Do not use in core without
+            # config option to control its use.
+            # Made available for extensions if the user trusts it.
+            # E.g. you may wish to disable recaptcha validation extension
+            # if the ip of the client matches 172.16.0.0.
+            env['HTTP_X-FORWARDED-FOR'] = xff
+        xfp = self.headers.getheader('X-Forwarded-Proto', None)
+        if xfp:
+            # xfp is the protocol (http/https) seen by proxies in the
+            # path of the request. I am not sure if there is only
+            # one value or multiple, but I suspect multiple
+            # is possible so:
+            # X-Forwarded-Proto: https, http
+            # is expected if the path is:
+            #    client -> proxy1 -> proxy2 -> back end server
+            # an proxy1 is an SSL terminator.
+            # May not be trustworthy. Do not use in core without
+            # config option to control its use.
+            # Made available for extensions if the user trusts it.
+            env['HTTP_X-FORWARDED-PROTO'] = xfp
         if os.environ.has_key('CGI_SHOW_TIMING'):
             env['CGI_SHOW_TIMING'] = os.environ['CGI_SHOW_TIMING']
         env['HTTP_ACCEPT_LANGUAGE'] = self.headers.get('accept-language')