

Django security updates released (shouldn't effect live code) - forsaken
http://www.djangoproject.com/weblog/2009/jul/28/security/

======
mtrichardson
Removing django.middleware.http.SetRemoteAddrFromForwardedFor seems silly,
since this can be nice to have information, even if it's given the caveat
that, yes, this isn't trusted.

~~~
ubernostrum
Well, there are basically two problems:

1\. There's enough variation in normal proxy usage that it's difficult to
provide a "one size fits all" or even a "one size fits most" solution.

2\. Even if you have it set up so that it matches what _your_ proxies do,
there's no guarantee that other proxies between yours and the remote user
won't mess with stuff.

The second one is the real kicker, because it's easy to be lulled into
thinking that all you have to do is worry about the proxies you set up
yourself. That's not true, of course, and the information you get is still
completely untrustworthy.

So Django's dropping the middleware, and going forward you'll have to supply
your own gun before shooting yourself in the foot :)

