tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50453] New: Multiple X-Forwarded-For headers not handled by RemoteIP valve
Date Fri, 10 Dec 2010 14:29:44 GMT

           Summary: Multiple X-Forwarded-For headers not handled by
                    RemoteIP valve
           Product: Tomcat 6
           Version: 6.0.29
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina

When a request comes in with multiple X-Forwarded-For headers the RemoteIP
valve should be examining all of them in reverse order.

As defined by the standard:
"Multiple message-header fields with the same field-name MAY be present in a
message if and only if the entire field-value for that header field is defined
as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the
multiple header fields into one "field-name: field-value" pair, without
changing the semantics of the message, by appending each subsequent field-value
to the first, each separated by a comma. The order in which header fields with
the same field-name are received is therefore significant to the interpretation
of the combined field value, and thus a proxy MUST NOT change the order of
these field values when a message is forwarded."


Is semantically equivalent to:

However (a) is not handled by the RemoteIP valve as it only ever looks at the
first header.

For reference, this was raised on the HAproxy mailing list:
and tomcat user's mailing list:

Tomcat users suggested raising a bug. Hence this.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message