哪个版本的 Django 和/或 Python 受 IP 欺骗的影响?
[英]Which version of Django and/or Python is affected by IP Spoofing?
问题描述
REF: https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks Reported Date: Jan 11 2022 
REF: https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks报告日期:2022 年 1 月 11 日
- Other than providing captcha, what security measure should be taken?除了提供验证码,还应该采取什么安全措施?
- Which version of Django and/or Python is affected by IP Spoofing?哪个版本的 Django 和/或 Python 受 IP 欺骗的影响?
1 个解决方案
解决方案1
0 2022-01-12 21:47:54
I did some research into the link you shared, Django's source and Django REST Framework's source.我对您共享的链接、Django 的源代码和 Django REST 框架的源代码进行了一些研究。
Bare-bones Django is not vulnerable to this, since it doesn't uses X-Forwarded-For , and neither is Python.准系统 Django 不易受此影响,因为它不使用X-Forwarded-For ,Python 也不是。
Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the HTTP_X_FORWARDED_FOR check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155 Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the HTTP_X_FORWARDED_FOR check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155
For measures you can take to avoid this, since a patch is not yet ready, you could implement your own ratelimitter, and replace get_ident to only use REMOTE_ADDR .对于您可以采取的措施来避免这种情况,因为尚未准备好补丁,您可以实现自己的速率限制器,并将get_ident替换为仅使用REMOTE_ADDR 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.