tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: RemoteIpValve lacking default 172.16/12
Date Tue, 06 Nov 2012 19:44:31 GMT
Hash: SHA1


On 11/6/12 2:03 PM, Konstantin Kolinko wrote:
> 2012/11/3 Christopher Schultz <>:
>> I was looking at the Javadoc for RemoteIpValve's internalProxies 
>> attribute and I saw this comment:
>> " 172.16/12 has not been enabled by default because it is complex
>> to describe with regular expressions. "
>> I'm not sure that is true. This regex ought to do it:
>> 172\.(1[6-9]|2(5[0-5]|[6-9])|[3-9][0-9])\.\d+\.\d+
>> Any takers?
> That "2(5".. part is strange and wrong. What you are trying to do
> with it?

Allow .25x. but not .26x (as that would be >8 bits).

> According to Wikipedia [1], the range is -

Oddly enough, I used a python script I found online to convert into a regular expression and it produced:


That didn't seem right to me at the time: my netmask math was failing
me, evidently.

> So maybe  172\.(1[6-9])|(2\d)|(3[01])\.\d\d?\d?\.\d\d?\d?
> That will be 16-19, 20-29, 30-31 for the second byte.
> (I'd be better to have some unit tests, to be sure).

I'm not sure how stringent we want our regexes to be, but \d\d\d is a
bit lenient. Since these IP addresses are coming-in as strings from
HTTP headers and not as 4-byte values, is it a good idea to permit
insane IPv4 addresses like 123.456.789.888?

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message