Fixed #3872 -- Fixed incorrect handling of HTTP_X_FORWARDED_FOR in SetRemoteAddrFromForwardedFor. Thanks, Simon Willison and gregorth

git-svn-id: http://code.djangoproject.com/svn/django/trunk@6364 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Adrian Holovaty <adrian@holovaty.com> 2007-09-16 16:54:16 +0000
committer: Adrian Holovaty <adrian@holovaty.com> 2007-09-16 16:54:16 +0000
commit: 0f4fb9755cb91389a500629da0fe1739afbc2a20 (patch)
tree: c407f579c6939903a8fd096fcc923131acde47f6 /django/middleware/http.py
parent: 4541a4d3a98c390d9306d49fad0357569a3a7e2d (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/django/middleware/http.py b/django/middleware/http.py
index 8db3e4a524..78e066c67b 100644
--- a/django/middleware/http.py
+++ b/django/middleware/http.py
@@ -55,6 +55,7 @@ class SetRemoteAddrFromForwardedFor(object):
             return None
         else:
             # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
-            # Take just the first one.
-            real_ip = real_ip.split(",")[0]
+            # Take just the last one.
+            # See http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/
+            real_ip = real_ip.split(",")[-1].strip()
             request.META['REMOTE_ADDR'] = real_ip
author	Adrian Holovaty <adrian@holovaty.com>	2007-09-16 16:54:16 +0000
committer	Adrian Holovaty <adrian@holovaty.com>	2007-09-16 16:54:16 +0000
commit	0f4fb9755cb91389a500629da0fe1739afbc2a20 (patch)
tree	c407f579c6939903a8fd096fcc923131acde47f6 /django/middleware/http.py
parent	4541a4d3a98c390d9306d49fad0357569a3a7e2d (diff)