diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2018-12-02 18:00:41 -0700 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2018-12-02 18:03:54 -0700 |
commit | 7dd363f338886694896ad83950f9e799ff867054 (patch) | |
tree | e162f6cc9085789a9cbb146ea733531c998ad803 | |
parent | 89fe396a13e31db5692def5bcb253d85d5d5817f (diff) | |
download | waitress-7dd363f338886694896ad83950f9e799ff867054.tar.gz |
If no trusted_proxy, don't allow other variables
This way we don't accidentally mislead users into thinking those
settings are doing anything when they are not.
-rw-r--r-- | waitress/adjustments.py | 17 | ||||
-rw-r--r-- | waitress/tests/test_adjustments.py | 17 |
2 files changed, 28 insertions, 6 deletions
diff --git a/waitress/adjustments.py b/waitress/adjustments.py index 8d34351..c1aa66d 100644 --- a/waitress/adjustments.py +++ b/waitress/adjustments.py @@ -101,7 +101,7 @@ class Adjustments(object): ('ipv6', asbool), ('listen', aslist), ('threads', int), - ('trusted_proxy', str), + ('trusted_proxy', str_iftruthy), ('trusted_proxy_count', int), ('trusted_proxy_headers', asset), ('log_untrusted_proxy_headers', asbool), @@ -367,6 +367,19 @@ class Adjustments(object): except: raise ValueError('Invalid host/port specified.') + if ( + self.trusted_proxy is None and + ( + self.trusted_proxy_headers or + (self.clear_untrusted_proxy_headers is not _bool_marker) + ) + ): + raise ValueError( + "The values trusted_proxy_headers and clear_untrusted_proxy_headers " + "have no meaning without setting trusted_proxy. Cowardly refusing to " + "continue." + ) + if self.trusted_proxy_headers: self.trusted_proxy_headers = {header.lower() for header in self.trusted_proxy_headers} @@ -395,7 +408,7 @@ class Adjustments(object): ) self.trusted_proxy_headers = {'x-forwarded-proto'} - if self.clear_untrusted_proxy_headers is _bool_marker: + if self.trusted_proxy and self.clear_untrusted_proxy_headers is _bool_marker: warnings.warn( 'In future versions of Waitress clear_untrusted_proxy_headers will be ' 'set to True by default. You may opt-out by setting this value to ' diff --git a/waitress/tests/test_adjustments.py b/waitress/tests/test_adjustments.py index ea17080..f841efc 100644 --- a/waitress/tests/test_adjustments.py +++ b/waitress/tests/test_adjustments.py @@ -302,25 +302,34 @@ class TestAdjustments(unittest.TestCase): def test_dont_mix_forwarded_with_x_forwarded(self): with self.assertRaises(ValueError) as cm: - self._makeOne(trusted_proxy_headers={'forwarded', 'x-forwarded-for'}) + self._makeOne(trusted_proxy='localhost', trusted_proxy_headers={'forwarded', 'x-forwarded-for'}) self.assertIn('The Forwarded proxy header', str(cm.exception)) def test_unknown_trusted_proxy_header(self): with self.assertRaises(ValueError) as cm: - self._makeOne(trusted_proxy_headers={'forwarded', 'x-forwarded-unknown'}) + self._makeOne(trusted_proxy='localhost', trusted_proxy_headers={'forwarded', 'x-forwarded-unknown'}) self.assertIn( 'unknown trusted_proxy_headers value (x-forwarded-unknown)', str(cm.exception) ) + def test_trusted_proxy_headers_no_trusted_proxy(self): + with self.assertRaises(ValueError) as cm: + self._makeOne(trusted_proxy_headers={'forwarded'}) + + self.assertIn( + 'Cowardly refusing to continue.', + str(cm.exception) + ) + def test_trusted_proxy_headers_string_list(self): - inst = self._makeOne(trusted_proxy_headers='x-forwarded-for x-forwarded-by') + inst = self._makeOne(trusted_proxy='localhost', trusted_proxy_headers='x-forwarded-for x-forwarded-by') self.assertEqual(inst.trusted_proxy_headers, {'x-forwarded-for', 'x-forwarded-by'}) def test_trusted_proxy_headers_string_list_newlines(self): - inst = self._makeOne(trusted_proxy_headers='x-forwarded-for\nx-forwarded-by\nx-forwarded-host') + inst = self._makeOne(trusted_proxy='localhost', trusted_proxy_headers='x-forwarded-for\nx-forwarded-by\nx-forwarded-host') self.assertEqual(inst.trusted_proxy_headers, {'x-forwarded-for', 'x-forwarded-by', 'x-forwarded-host'}) def test_no_trusted_proxy_headers_trusted_proxy(self): |