tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: tomcat 7.0.21: bug in RemoteAddrValve?
Date Thu, 15 Sep 2011 12:25:02 GMT
Francis GALIEGUE wrote:
> On Thu, Sep 15, 2011 at 10:06, Francis GALIEGUE <fge@one2team.com> wrote:
>> On Wed, Sep 14, 2011 at 20:49, Mark Eggers <its_toasted@yahoo.com> wrote:
>> [...]
>>> I've not tried this in Tomcat, but here's a thought.
>>>
>>> According to:
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter
>>>
>>>
>>> Tomcat uses java.util.regex for pattern matching. This means that if you want
a string regular expression to include a ".", you'll end up entering it as \\.
>>>
>>> Try using "127\\.0\\.0\\.1|::1" and see if that fixes your problem.
>>>
>>> I have no idea why it would work in previous versions (have not checked the change
log).
>>>
>>> . . . . just my two cents.
>> Yep, fair enough. But in this case "\." would have expanded to a dot
>> and it would have matched anyway.
>>
>> @André: I do connect from localhost using wget, mainly:
>>
>> wget -O - -nv --http-user=xxxx --http-password=xxxx
>> http://localhost:8080//manager/text/list
>>
>> But even so, using "127\\.0\\.0\\.1", I get 403... There definitely is
>> something broken :(
>>
> 
> OK, I've found the bug...
> 
> I have added an access log valve and here is what I see in it:
> 
> [15/Sep/2011:11:59:14 +0200] 0:0:0:0:0:0:0:1 (132 msec/964 bytes) 403
> GET //manager/text/list HTTP/1.0
> 
> That explains it. So, I do have IPv6, but the valve doesn't recognize
> ::1 as being equivalent to the fully expanded IPv6 address... If it
> only tries and matches the regex, the behaviour is therefore normal.

Aha. So I do get a Debugger Bonus Point after all.

> 
> I have added 0:0:0:0:0:0:0:1 as an alternative instead of ::1 and it
> does work...
> 
> So, PEBKAC mostly, but I think Tomcat should be able to treat reduced
> IPv6 address formats.
> 

That would mean that both the address configured in the Valve, and the client address, 
would need to be "canonicalised" and then compared.
You'll probably see the traditional "patches are welcome" soon.

On the other hand, using a regexp provides for quite a bit of flexibility regarding ranges

of addresses. You could use something like :
"(127\\.0\\.0\\.1)|((0?:0?:0?:0?:0?:0?)?:0?:1)"

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message