Opened 3 years ago

Last modified 14 months ago

#7704 defect reopened

twisted.web.http.Request.getClientIP() returns None for ipv6 addresses

Reported by: Matthew Pounsett Owned by:
Priority: normal Milestone:
Component: web Keywords:
Cc: jknight Branch:


When an IPv6 client is connected, the request object's getClientIP() method returns None.

Change History (6)

comment:1 Changed 3 years ago by DefaultCC Plugin

Cc: jknight added

comment:2 Changed 3 years ago by Jean-Paul Calderone

IRequest.getClientIP is an interface design mistake. It should be replaced by a method that just returns an IAddress provider.

The trouble with returning an instance of str (apart from being confused over whether that means bytes or unicode) to represent any kind of address is that at best it's ambiguous that maybe confuses application code sometimes and at worst it's an exploitable vulnerability (what happens if your application is deployed to listen over UNIX sockets and the client binds to a UNIX socket named

IAddress is unambiguous and puts the responsibility for accounting for different address types squarely on the shoulders of the application.

comment:3 Changed 3 years ago by Jean-Paul Calderone

Resolution: wontfix
Status: newclosed

See #7705, #7706, #7707.

comment:4 Changed 14 months ago by Glyph

Resolution: wontfix
Status: closedreopened

I'm not so sure that deprecating this is the right way to go.

But, even if it is, in the meanwhile applications that use getClientIP should not be getting garbage data for IPv6 clients. Whether we deprecate it or not in the future, this is a valid bug.

This has knock-on effects right now; for example, getClientIP is used by the system that emits CLF logs (which does ultimately need a string to serialize to the log file, which makes me think that the "security" concern above might not be entirely preventable).

comment:5 Changed 14 months ago by Glyph

See also #8241

comment:6 Changed 14 months ago by Glyph

This also makes it so that WSGI applications can't listen over IPv6. You get a nasty traceback:

Note: See TracTickets for help on using tickets.