id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 3872 Bug in SetRemoteAddrFromForwardedFor middleware Simon Willison Grzegorz Ślusarek "The middleware contains the following: {{{ # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. # Take just the first one. real_ip = real_ip.split("","")[0] }}} I'm pretty sure it should be taking the LAST element in the list, not the first - at least going by Bob Ippolito's description here: http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/ This could be a security issue, as it may allow people to forge an X-Forwarded-For header and provide a fake IP address to Django. " closed Core (Other) dev fixed middleware Ready for checkin 1 0 0 0 0 0