tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50453] New: Multiple X-Forwarded-For headers not handled by RemoteIP valve
Date Fri, 10 Dec 2010 14:29:44 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50453

           Summary: Multiple X-Forwarded-For headers not handled by
                    RemoteIP valve
           Product: Tomcat 6
           Version: 6.0.29
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: brett.dellegrazie@intact-is.com


When a request comes in with multiple X-Forwarded-For headers the RemoteIP
valve should be examining all of them in reverse order.

As defined by the standard:
"Multiple message-header fields with the same field-name MAY be present in a
message if and only if the entire field-value for that header field is defined
as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the
multiple header fields into one "field-name: field-value" pair, without
changing the semantics of the message, by appending each subsequent field-value
to the first, each separated by a comma. The order in which header fields with
the same field-name are received is therefore significant to the interpretation
of the combined field value, and thus a proxy MUST NOT change the order of
these field values when a message is forwarded."

thus:
(a)
X-Forwarded-For: 192.168.0.3
X-Forwarded-For: 222.234.0.4

Is semantically equivalent to:
(b)
X-Forwarded-For: 192.168.0.3, 222.234.0.4

However (a) is not handled by the RemoteIP valve as it only ever looks at the
first header.

For reference, this was raised on the HAproxy mailing list:
http://www.formilux.org/archives/haproxy/1012/4122.html
and tomcat user's mailing list:
http://mail-archives.apache.org/mod_mbox/tomcat-users/201012.mbox/%3C4D022C57.1070005@apache.org%3E

Tomcat users suggested raising a bug. Hence this.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message