tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: RemoteIpValve lacking default 172.16/12
Date Tue, 06 Nov 2012 19:44:31 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 11/6/12 2:03 PM, Konstantin Kolinko wrote:
> 2012/11/3 Christopher Schultz <chris@christopherschultz.net>:
>> 
>> I was looking at the Javadoc for RemoteIpValve's internalProxies 
>> attribute and I saw this comment:
>> 
>> " 172.16/12 has not been enabled by default because it is complex
>> to describe with regular expressions. "
>> 
>> I'm not sure that is true. This regex ought to do it:
>> 
>> 172\.(1[6-9]|2(5[0-5]|[6-9])|[3-9][0-9])\.\d+\.\d+
>> 
>> Any takers?
>> 
> 
> That "2(5".. part is strange and wrong. What you are trying to do
> with it?

Allow .25x. but not .26x (as that would be >8 bits).

> According to Wikipedia [1], the range is 172.16.0.0 -
> 172.31.255.255

Oddly enough, I used a python script I found online to convert
172.16.0.0/12 into a regular expression and it produced:

^172\.2\d|1[6-9]|3[01]\.\d+\.\d+$

That didn't seem right to me at the time: my netmask math was failing
me, evidently.

> So maybe  172\.(1[6-9])|(2\d)|(3[01])\.\d\d?\d?\.\d\d?\d?
> 
> That will be 16-19, 20-29, 30-31 for the second byte.
> 
> (I'd be better to have some unit tests, to be sure).

I'm not sure how stringent we want our regexes to be, but \d\d\d is a
bit lenient. Since these IP addresses are coming-in as strings from
HTTP headers and not as 4-byte values, is it a good idea to permit
insane IPv4 addresses like 123.456.789.888?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCZaJ8ACgkQ9CaO5/Lv0PCmQQCfcOoCi5MubVGKyV3dhtVbmx2H
3S8AoKBK2CXWGA8TFiNS3cNDG2GEvw2+
=cPjy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message