David Gerard wrote:
Tony Sidaway wrote:
>On 10/17/05, David Gerard <dgerard at gmail.com> wrote:
>
>>Note that the NTL problem has been solved (presumably through some
>>horribly ugly special cases in the MediaWiki code) -
It's not an ugly special case, we already used the X-Forwarded-For
header to determine the IP address for users editing via our own squids
(i.e. everyone). It was just a matter of adding extra trusted proxies,
and adding some validation for cases where external proxies randomly
send invalid addresses like 127.0.0.1, which unfortunately some of them do.
>My understanding is that NTL passes the client IP
via a standard
>protocol and MediaWiki simply interprets it in the standard manner.
>The only place where it gets hairy is that, as I understand it, some
>anonymizing proxies also use this protocol and forward a spoofed IP,
>so you do need to maintain a list of proxies that can be trusted.
No, the problem is not some anonymizing proxies, the problem is that
anyone at all could pretend to a proxy, by just typing headers into
telnet or netcat.
Semi-standard - it uses an X-Forwarded-From header and
sometimes it
reverses the order of the octets (for no good reason).
Nothing in MediaWiki should reverse the order of the octets, where have
you seen that? Anyway, it is indeed only semi-standard, hence the X
prefix. It's a defacto standard promulgated by Squid.
That said, I just spotted a MARMOT sock (User:Captain
Kreuk and a few
others) with his IP showing as the NTL proxy address, not his actual
address. Bother.
(cc'd to wikitech-l - is this a reportable bug, or hadn't the
NTL-checking code kicked in at that point?)
It's a bit hard to tell without knowing the IP address and how long ago
it occurred.
-- Tim Starling