id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3872	Bug in SetRemoteAddrFromForwardedFor middleware	Simon Willison	Grzegorz Ślusarek	"The middleware contains the following:

{{{
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
# Take just the first one.
real_ip = real_ip.split("","")[0]
}}}

I'm pretty sure it should be taking the LAST element in the list, not the first - at least going by Bob Ippolito's description here:

http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/

This could be a security issue, as it may allow people to forge an X-Forwarded-For header and provide a fake IP address to Django.

"		closed	Core (Other)	dev		fixed	middleware		Ready for checkin	1	0	0	0	0	0