[英]Which version of Django and/or Python is affected by IP Spoofing?
REF: https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks Reported Date: Jan 11 2022 REF: https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks报告日期:2022 年 1 月 11 日
I did some research into the link you shared, Django's source and Django REST Framework's source.我对您共享的链接、Django 的源代码和 Django REST 框架的源代码进行了一些研究。
Bare-bones Django is not vulnerable to this, since it doesn't uses X-Forwarded-For
, and neither is Python.准系统 Django 不易受此影响,因为它不使用
X-Forwarded-For
,Python 也不是。
Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the HTTP_X_FORWARDED_FOR
check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155 Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the
HTTP_X_FORWARDED_FOR
check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155
For measures you can take to avoid this, since a patch is not yet ready, you could implement your own ratelimitter, and replace get_ident
to only use REMOTE_ADDR
.对于您可以采取的措施来避免这种情况,因为尚未准备好补丁,您可以实现自己的速率限制器,并将
get_ident
替换为仅使用REMOTE_ADDR
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.