Opened 4 years ago

Closed 8 months ago

#7704 defect closed fixed (fixed)

twisted.web.http.Request.getClientIP() returns None for ipv6 addresses

Reported by: Matthew Pounsett Owned by: mark williams
Priority: normal Milestone:
Component: web Keywords:
Cc: jknight Branch:
Author:

Description

When an IPv6 client is connected, the request object's getClientIP() method returns None.

Change History (10)

comment:1 Changed 4 years ago by DefaultCC Plugin

Cc: jknight added

comment:2 Changed 4 years ago by Jean-Paul Calderone

IRequest.getClientIP is an interface design mistake. It should be replaced by a method that just returns an IAddress provider.

The trouble with returning an instance of str (apart from being confused over whether that means bytes or unicode) to represent any kind of address is that at best it's ambiguous that maybe confuses application code sometimes and at worst it's an exploitable vulnerability (what happens if your application is deployed to listen over UNIX sockets and the client binds to a UNIX socket named 127.0.0.1).

IAddress is unambiguous and puts the responsibility for accounting for different address types squarely on the shoulders of the application.

comment:3 Changed 4 years ago by Jean-Paul Calderone

Resolution: wontfix
Status: newclosed

See #7705, #7706, #7707.

comment:4 Changed 2 years ago by Glyph

Resolution: wontfix
Status: closedreopened

I'm not so sure that deprecating this is the right way to go.

But, even if it is, in the meanwhile applications that use getClientIP should not be getting garbage data for IPv6 clients. Whether we deprecate it or not in the future, this is a valid bug.

This has knock-on effects right now; for example, getClientIP is used by the system that emits CLF logs (which does ultimately need a string to serialize to the log file, which makes me think that the "security" concern above might not be entirely preventable).

comment:5 Changed 2 years ago by Glyph

See also #8241

comment:6 Changed 2 years ago by Glyph

This also makes it so that WSGI applications can't listen over IPv6. You get a nasty traceback: https://s.caremad.io/dKcALj4EfX/

comment:7 Changed 8 months ago by Craig Rodrigues

Resolution: fixed
Status: reopenedclosed

Fixed in ticket:8241

comment:8 Changed 8 months ago by Craig Rodrigues

Resolution: fixed
Status: closedreopened

comment:9 Changed 8 months ago by Craig Rodrigues

Owner: set to mark williams
Status: reopenednew

comment:10 Changed 8 months ago by Craig Rodrigues

Resolution: fixed
Status: newclosed

Fixed in ticket:8241

Note: See TracTickets for help on using tickets.