tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve
Date Fri, 02 Nov 2012 21:09:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon,

On 11/2/12 12:27 PM, Simon Dean wrote:
>> -----Original Message----- From: Caldarale, Charles R
>> [mailto:Chuck.Caldarale@unisys.com] Sent: 31 October 2012 20:35 
>> To: Tomcat Users List Subject: RE: Comma related bug in 
>> org.apache.catalina.valves.RemoteIpValve
>> 
>>> From: André Warnier [mailto:aw@ice-sa.com] Subject: Re: Comma
>>> related bug in org.apache.catalina.valves.RemoteIpValve
>> 
>>> We'll probably end up with something like
>> <tag>"regex1","regex2",...</tag>.
>>> Or a single regex, with "|" between the alternatives (which
>>> could be a workaround for you now, I guess).
>> 
>> I have a vague memory of a discussion on either the dev or users'
>> list about simply removing the comma separation, and using just
>> regex standard formats.  As I recall, the final resolution was to
>> remove the comma separation in Tomcat 7, but keep it in 6 for
>> compatibility - even if it is broken and not completely
>> resolvable.  If you look at the RemoteIpValve doc for 7, you'll
>> see there's no mention of comma-separated regexes.
> 
> Yep. Tomcat 7 is treating the values as whole regexes (taking
advantage of regular expressions' logical OR operation - the pipe symbol).
> 
> In Tomcat 6 though, there is a real bug with the current 
> documentation and implementation. The documentation gives example
> values for internalProxies that have commas in the regex. See 
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve
> and 
> http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
>
> 
Both specify the following as the default value for internalProxies:
> 
> 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 
> 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
> 
> But that value won't work if you assigned it to internalProxies 
> because it has commas in the "{1,3}" bit. Worse still, the valve 
> silently fails, giving no feedback that there's anything wrong.
> 
> Quick remedies would be to change the code and documentation to
> use this as the default:
> 
> 10\.\d{1,3}\.\d+\.\d{1,3}, 192\.168\.\d+\.\d+, 169\.254\.\d+\.\d+, 
> 127\.\d+\.\d+\.\d+
> 
> Which replaces "{1,3}" with "+".

You missed a few, and you could be safer. Instead of using \d{1,3} in
general for an octet, I would recommend something like this:

0|1[0-9][0-9]?|2([0-4][0-9]|5[0-5]|[6-9])

This disallows things like 123.456.789.999, though it is a bit more
complicated. It does not contain any commas, though. For an example on
the site, though, a simple \d+ should suffice.

> Also adding a warning about commas to the code and documentation 
> would also go a long way.

Patches -- especially to the documentation -- are always welcome.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCUNncACgkQ9CaO5/Lv0PBamwCePBZqFmdCcGOA8xyoN0R4RbRV
HuIAn38zzplbPoxHuvr9r9JuJKnzavDv
=8e47
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message