summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorJacob Kaplan-Moss <jacob@jacobian.org>2009-07-29 05:35:51 +0000
committerJacob Kaplan-Moss <jacob@jacobian.org>2009-07-29 05:35:51 +0000
commitd78cf61c992079a04892abe27c439431e4ef633b (patch)
treec95d027f9a43d7df16a170b7916cd95a87c0d7de /docs/ref
parent91f18400cc0fb37659e2dbaab5484ff2081f1f30 (diff)
BACKWARDS-INCOMPATIBLE CHANGE: Removed SetRemoteAddrFromForwardedFor middleware.
In a nutshell, it's been demonstrated that this middleware can never be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of ``REMOTE_ADDR`` is "safe" or in some way reliable as a source of authentication. So it's gone. See the Django 1.1 release notes for full details, as well as upgrade instructions. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11363 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/middleware.txt13
1 files changed, 3 insertions, 10 deletions
diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index 5125f6e064..ff51df9e8f 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -122,17 +122,10 @@ Reverse proxy middleware
.. class:: django.middleware.http.SetRemoteAddrFromForwardedFor
-Sets ``request.META['REMOTE_ADDR']`` based on
-``request.META['HTTP_X_FORWARDED_FOR']``, if the latter is set. This is useful
-if you're sitting behind a reverse proxy that causes each request's
-``REMOTE_ADDR`` to be set to ``127.0.0.1``.
+.. versionchanged: 1.1
-**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're
-not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do
-not use this middleware. Anybody can spoof the value of
-``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on
-``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only
-use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``.
+This middleware was removed in Django 1.1. See :ref:`the release notes
+<removed-setremoteaddrfromforwardedfor-middleware>` for details.
Locale middleware
-----------------