Don't use X-Forwarded-For header to assign community

b10cde88 · Joanne Hugé · 5539f577 · b10cde88 · b10cde88
Commit b10cde88 authored Feb 03, 2022 by Joanne Hugé
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 8 deletions

re6st/cli/conf.py re6st/cli/conf.py +2 -4

re6st/registry.py re6st/registry.py +1 -4

No files found.
--- a/re6st/cli/conf.py
+++ b/re6st/cli/conf.py
@@ -46,8 +46,7 @@ def main():
        help="Request an anonymous certificate. No email is required but the"
             " registry may deliver a longer prefix.")
    _('--country',
-            help="Specify country for the community assignment (default:"
-             " country is detected based on IP in X-Forwarded-For header")
+            help="Specify country for the community assignment")
    config = parser.parse_args()
    if config.dir:
        os.chdir(config.dir)
@@ -144,8 +143,7 @@ def main():
        # to avoid using our token for nothing.
        cert_fd = os.open(cert_path, os.O_CREAT | os.O_WRONLY, 0666)
        print "Requesting certificate ..."
-        cert = s.requestCertificate(token, req, country=config.country) \
-                 if config.country else s.requestCertificate(token, req)
+        cert = s.requestCertificate(token, req, country=config.country or '_')
        if not cert:
            token_advice = None
            sys.exit("Error: invalid or expired token")

--- a/re6st/registry.py
+++ b/re6st/registry.py
@@ -290,8 +290,6 @@ class RegistryServer(object):
                request.headers.get("X-Forwarded-For") or
                request.headers.get("host"),
                request.headers.get("user-agent"))
-        if 'ip' in kw:
-            kw['ip'] = request.headers.get("X-Forwarded-For") or request.headers.get("host")
        try:
            result = m(**kw)
        except HTTPError, e:
@@ -418,7 +416,7 @@ class RegistryServer(object):
        return self.newPrefix(prefix_len, country)

    @rpc
-    def requestCertificate(self, token, req, country='', ip=''):
+    def requestCertificate(self, token, req, country='_'):
        req = crypto.load_certificate_request(crypto.FILETYPE_PEM, req)
        with self.lock:
            with self.db:
@@ -438,7 +436,6 @@ class RegistryServer(object):
                    if not prefix_len:
                        raise HTTPError(httplib.FORBIDDEN)
                    email = None
-                country = country if country else self._geoiplookup(ip)
                prefix = self.newPrefix(prefix_len,
                                        country if country in self.community_map else '_')
                self.db.execute("UPDATE cert SET email = ? WHERE prefix = ?",