1 files changed, 55 insertions, 0 deletions

diff --git a/webapp/django/middleware/http.py b/webapp/django/middleware/http.py
new file mode 100644
index 0000000000..53b65c1034
--- /dev/null
+++ b/webapp/django/middleware/http.py
@@ -0,0 +1,55 @@
+from django.utils.http import http_date
+
+class ConditionalGetMiddleware(object):
+    """
+    Handles conditional GET operations. If the response has a ETag or
+    Last-Modified header, and the request has If-None-Match or
+    If-Modified-Since, the response is replaced by an HttpNotModified.
+
+    Also sets the Date and Content-Length response-headers.
+    """
+    def process_response(self, request, response):
+        response['Date'] = http_date()
+        if not response.has_header('Content-Length'):
+            response['Content-Length'] = str(len(response.content))
+
+        if response.has_header('ETag'):
+            if_none_match = request.META.get('HTTP_IF_NONE_MATCH', None)
+            if if_none_match == response['ETag']:
+                # Setting the status is enough here. The response handling path
+                # automatically removes content for this status code (in
+                # http.conditional_content_removal()).
+                response.status_code = 304
+
+        if response.has_header('Last-Modified'):
+            if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE', None)
+            if if_modified_since == response['Last-Modified']:
+                # Setting the status code is enough here (same reasons as
+                # above).
+                response.status_code = 304
+
+        return response
+
+class SetRemoteAddrFromForwardedFor(object):
+    """
+    Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
+    latter is set. This is useful if you're sitting behind a reverse proxy that
+    causes each request's REMOTE_ADDR to be set to 127.0.0.1.
+
+    Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
+    a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
+    this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
+    because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
+    anybody can "fake" their IP address. Only use this when you can absolutely
+    trust the value of HTTP_X_FORWARDED_FOR.
+    """
+    def process_request(self, request):
+        try:
+            real_ip = request.META['HTTP_X_FORWARDED_FOR']
+        except KeyError:
+            return None
+        else:
+            # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The
+            # client's IP will be the first one.
+            real_ip = real_ip.split(",")[0].strip()
+            request.META['REMOTE_ADDR'] = real_ip