Workaround security issues in django-axes (!1245) · Merge requests · FreedomBox / FreedomBox

Sunil Mohan Adapa requested to merge sunilmohan/freedombox:fix-axes into master Mar 21, 2018

Newer versions of Django axes have newly way to get the IP address of a client using ipware library. This has multiple security issues https://github.com/jazzband/django-axes/issues/286 . Workaround them by controlling the X-FORWARDED-FOR header sent from Apache to FreedomBox and by limiting the headers that ipware uses.

Signed-off-by: Sunil Mohan Adapa sunil@medhas.org

Workaround security issues in django-axes

Merge request reports