Changed: remote_ip_header has to be explicitly set

For #260
mnot · Nov 5, 2023 · abc3665 · abc3665
1 parent 8baadf4
commit abc3665
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 20 deletions.
diff --git a/config.txt b/config.txt
@@ -55,6 +55,12 @@ ui_uri = https://redbot.org/
 # URI root for static assets (absolute or relative, but no trailing '/').
 static_root = static
 
+# The name of a HTTP request header that will contain the client's IP address. Used for
+# logging, rate limiting, and CAPTCHA identification.
+# DO NOT SET this unless you trust the value of this header (e.g., it is under control of
+# your infrastructure). Comment out to disable.
+# remote_ip_header = X-Forwarded-For
+
 
 ## Saved Tests
 

diff --git a/redbot/daemon.py b/redbot/daemon.py
@@ -148,22 +148,18 @@ def request_body(self, chunk: bytes) -> None:
     def request_done(self, trailers: RawHeaderListType) -> None:
         p_uri = urlsplit(self.uri)
         if p_uri.path == b"/":
+            client_ip = self.exchange.http_conn.tcp_conn.socket.getpeername()[0].encode(
+                "idna"
+            )
             try:
-                self.req_hdrs.append(
-                    (
-                        b"client-ip",
-                        self.exchange.http_conn.tcp_conn.socket.getpeername()[0].encode(
-                            "idna"
-                        ),
-                    )
-                )
                 RedWebUi(
                     self.server.config,
                     self.method.decode(self.server.config["charset"]),
                     p_uri.query,
                     self.req_hdrs,
                     self.req_body,
                     self.exchange,
+                    client_ip,
                     self.server.console,
                 )
                 return None

diff --git a/redbot/webui/__init__.py b/redbot/webui/__init__.py
@@ -55,6 +55,7 @@ def __init__(
         req_headers: RawHeaderListType,
         req_body: bytes,
         exchange: HttpResponseExchange,
+        client_ip: str,
         error_log: Callable[[str], int] = sys.stderr.write,
     ) -> None:
         self.config: SectionProxy = config
@@ -65,8 +66,14 @@ def __init__(
         self.req_body = req_body
         self.body_args = {}
         self.exchange = exchange
+        self.client_ip = client_ip
         self.error_log = error_log  # function to log errors to
 
+        # stash the remote IP header name
+        self.remote_ip_header = (
+            self.config.get("remote_ip_header", "").lower().encode("ascii")
+        )
+
         # query processing
         self.test_uri = self.query_string.get("uri", [""])[0]
         self.test_id = self.query_string.get("id", [None])[0]
@@ -183,7 +190,7 @@ def run_test(self) -> None:
         # Captcha
         captcha = CaptchaHandler(
             self,
-            self.get_client_id(),
+            self.get_client_ip(),
             continue_test,
             error_response,
         )
@@ -343,13 +350,18 @@ def timeout_error(self, detail: Callable[[], str] = None) -> None:
 
     def get_client_id(self) -> str:
         """
-        Figure out an identifier for the client.
+        Return as unique an identifier for the client as possible.
+        """
+        return self.get_client_ip()
+
+    def get_client_ip(self) -> str:
+        """
+        Return what we believe to be the client's IP address.
         """
-        xff = thor.http.common.get_header(self.req_headers, b"x-forwarded-for")
-        if xff:
-            return str(xff[-1].decode("idna"))
-        return str(
-            thor.http.common.get_header(self.req_headers, b"client-ip")[-1].decode(
-                "idna"
+        if self.remote_ip_header:
+            remote_ip = thor.http.common.get_header(
+                self.req_headers, self.remote_ip_header
             )
-        )
+            if remote_ip:
+                return str(remote_ip[-1].decode("ascii", errors="replace"))
+        return self.client_ip
diff --git a/redbot/webui/captcha.py b/redbot/webui/captcha.py
@@ -36,12 +36,12 @@ class CaptchaHandler:
     def __init__(
         self,
         webui: "RedWebUi",
-        client_id: str,
+        client_ip: str,
         continue_test: Callable,
         error_response: Callable,
     ) -> None:
         self.webui = webui
-        self.client_id = client_id
+        self.client_ip = client_ip
         self.continue_test = continue_test
         self.error_response = error_response
         self.provider = webui.config.get("captcha_provider", "")
@@ -153,7 +153,7 @@ def response_done(_: RawHeaderListType) -> None:
         request_form = {
             "secret": self.secret,
             "response": presented_token,
-            "remoteip": self.client_id,
+            "remoteip": self.client_ip,
         }
         exchange.request_start(
             b"POST",