tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve
Date Fri, 02 Nov 2012 21:09:11 GMT
Hash: SHA1


On 11/2/12 12:27 PM, Simon Dean wrote:
>> -----Original Message----- From: Caldarale, Charles R
>> [] Sent: 31 October 2012 20:35 
>> To: Tomcat Users List Subject: RE: Comma related bug in 
>> org.apache.catalina.valves.RemoteIpValve
>>> From: André Warnier [] Subject: Re: Comma
>>> related bug in org.apache.catalina.valves.RemoteIpValve
>>> We'll probably end up with something like
>> <tag>"regex1","regex2",...</tag>.
>>> Or a single regex, with "|" between the alternatives (which
>>> could be a workaround for you now, I guess).
>> I have a vague memory of a discussion on either the dev or users'
>> list about simply removing the comma separation, and using just
>> regex standard formats.  As I recall, the final resolution was to
>> remove the comma separation in Tomcat 7, but keep it in 6 for
>> compatibility - even if it is broken and not completely
>> resolvable.  If you look at the RemoteIpValve doc for 7, you'll
>> see there's no mention of comma-separated regexes.
> Yep. Tomcat 7 is treating the values as whole regexes (taking
advantage of regular expressions' logical OR operation - the pipe symbol).
> In Tomcat 6 though, there is a real bug with the current 
> documentation and implementation. The documentation gives example
> values for internalProxies that have commas in the regex. See 
> and 
Both specify the following as the default value for internalProxies:
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 
> 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
> But that value won't work if you assigned it to internalProxies 
> because it has commas in the "{1,3}" bit. Worse still, the valve 
> silently fails, giving no feedback that there's anything wrong.
> Quick remedies would be to change the code and documentation to
> use this as the default:
> 10\.\d{1,3}\.\d+\.\d{1,3}, 192\.168\.\d+\.\d+, 169\.254\.\d+\.\d+, 
> 127\.\d+\.\d+\.\d+
> Which replaces "{1,3}" with "+".

You missed a few, and you could be safer. Instead of using \d{1,3} in
general for an octet, I would recommend something like this:


This disallows things like 123.456.789.999, though it is a bit more
complicated. It does not contain any commas, though. For an example on
the site, though, a simple \d+ should suffice.

> Also adding a warning about commas to the code and documentation 
> would also go a long way.

Patches -- especially to the documentation -- are always welcome.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message