From 0f4fb9755cb91389a500629da0fe1739afbc2a20 Mon Sep 17 00:00:00 2001
From: Adrian Holovaty <adrian@holovaty.com>
Date: Sun, 16 Sep 2007 16:54:16 +0000
Subject: [PATCH] Fixed #3872 -- Fixed incorrect handling of
 HTTP_X_FORWARDED_FOR in SetRemoteAddrFromForwardedFor. Thanks, Simon Willison
 and gregorth

git-svn-id: http://code.djangoproject.com/svn/django/trunk@6364 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/middleware/http.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/django/middleware/http.py b/django/middleware/http.py
index 8db3e4a524..78e066c67b 100644
--- a/django/middleware/http.py
+++ b/django/middleware/http.py
@@ -55,6 +55,7 @@ class SetRemoteAddrFromForwardedFor(object):
             return None
         else:
             # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
-            # Take just the first one.
-            real_ip = real_ip.split(",")[0]
+            # Take just the last one.
+            # See http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/
+            real_ip = real_ip.split(",")[-1].strip()
             request.META['REMOTE_ADDR'] = real_ip