I want to get the IP for the requested service. I can successfully get the ip by using frappe.local.request_ip .X-Forwarded-For: <dummy ip> .
This is the test that I did. I can add any value on that header and it will return that value. (The IP is the photo is just a dummy IP.)
UPDATE :frappe.get_request_header('X-Forwarded-For') is used to get the ip.
Now, when I call this without X-Forwarded-For it returns my real IP.
But if I pass X-Forwarded-For as a header it returns the dummy AND my real IP separated by comma where the Real IP is in the end.
I think this should be fixed IF frappe.get_request_header('X-Forwarded-For') returns the real IP in the end.
Any update on this because I think this is a serious security bug. It can bypass IP restriction.
Hi Aldo
If you have not done so best direct this to Frappe to inform them for review
At ERPNext, we believe a complete ERP software is one that is able to handle all your business operations including security. If you find any security breaches, please report the issue to us via this form
At ERPNext, we believe a complete ERP software is one that is able to handle all your business operations including security. If you find any security breaches, please report the issue to us via this form
Thanks for sharing!
1 Like
Hi,
Could you try making the changes from this PR to your nginx configuration:
https://github.com/frappe/bench/pull/1024
This basically makes NGINX set the IP address instead of letting the user define the IP through the request. This should help fix your issue.
2 Likes
aldoblack:
X-Forwarded-For
I changed nginx config on /home/frappe/frappe-bench/config/nginx.conf and it is still the same.
Did you reload the NGINX service after doing so? It should work fine thereafter.
Excellent Chinmay is on the case -
I hope you Frappe folks are well @chinmaypai , I enjoyed Rushabh’s account of your team getaway trek in the mountains
1 Like
We’re doing well, and we hope you are too
1 Like
