You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/02/15 14:57:45 UTC
[tomcat] branch 9.0.x updated: Fix bug BZ 66460 - add shared address space RFC 6598 to internal proxies
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 8cb3a10440 Fix bug BZ 66460 - add shared address space RFC 6598 to internal proxies
8cb3a10440 is described below
commit 8cb3a10440d8ecbfdb72a67ee100b93927de3246
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 15 14:57:19 2023 +0000
Fix bug BZ 66460 - add shared address space RFC 6598 to internal proxies
---
.../apache/catalina/filters/RemoteIpFilter.java | 6 ++++-
java/org/apache/catalina/valves/RemoteIpValve.java | 6 ++++-
.../catalina/filters/TestRemoteIpFilter.java | 29 ++++++++++++++++++++++
.../apache/catalina/valves/TestRemoteIpValve.java | 28 +++++++++++++++++++++
webapps/docs/changelog.xml | 6 +++++
webapps/docs/config/filter.xml | 2 +-
webapps/docs/config/valve.xml | 2 +-
7 files changed, 75 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java b/java/org/apache/catalina/filters/RemoteIpFilter.java
index 5acf36cf1d..a00822816b 100644
--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -119,9 +119,11 @@ import org.apache.tomcat.util.res.StringManager;
* <td>Regular expression (in the syntax supported by {@link java.util.regex.Pattern java.util.regex})</td>
* <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
+ * 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|
+ * 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1 <br>
- * By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.</td>
+ * By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and 0:0:0:0:0:0:0:1 are allowed.</td>
* </tr>
* <tr>
* <td>proxiesHeader</td>
@@ -746,6 +748,8 @@ public class RemoteIpFilter extends GenericFilter {
private Pattern internalProxies = Pattern
.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "0:0:0:0:0:0:0:1|::1");
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java b/java/org/apache/catalina/valves/RemoteIpValve.java
index 38e29aa145..9513a96319 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -99,9 +99,11 @@ import org.apache.tomcat.util.http.parser.Host;
* <td>Regular expression (in the syntax supported by {@link java.util.regex.Pattern java.util.regex})</td>
* <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
+ * 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|
+ * 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}| 172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1 <br>
- * By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and ::1 are allowed.</td>
+ * By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and ::1 are allowed.</td>
* </tr>
* <tr>
* <td>proxiesHeader</td>
@@ -432,6 +434,8 @@ public class RemoteIpValve extends ValveBase {
private Pattern internalProxies = Pattern
.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + "0:0:0:0:0:0:0:1|::1");
diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
index 5599a4df54..dc4f157353 100644
--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
@@ -27,6 +27,7 @@ import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@@ -823,6 +824,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertTrue(setCookie.contains("Secure"));
Assert.assertTrue(bug66471Servlet.isSecure.booleanValue());
}
+
public static class Bug66471Servlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public Boolean isSecure;
@@ -832,4 +834,31 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
isSecure = (Boolean) req.getAttribute(Globals.REMOTE_IP_FILTER_SECURE);
}
}
+
+ @Test
+ public void testInternalProxies() throws Exception {
+ RemoteIpFilter remoteIpFilter = new RemoteIpFilter();
+ Pattern internalProxiesPattern = remoteIpFilter.getInternalProxies();
+
+ doTestPattern(internalProxiesPattern, "8.8.8.8", false);
+ doTestPattern(internalProxiesPattern, "100.62.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.63.255.255", false);
+ doTestPattern(internalProxiesPattern, "100.64.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.65.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.68.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.72.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.88.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.95.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.102.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.110.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.126.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.127.255.255", true);
+ doTestPattern(internalProxiesPattern, "100.128.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+ }
+
+ private void doTestPattern(Pattern pattern, String input, boolean expectedMatch) {
+ boolean match = pattern.matcher(input).matches();
+ Assert.assertEquals(input, Boolean.valueOf(expectedMatch), Boolean.valueOf(match));
+ }
}
diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java b/test/org/apache/catalina/valves/TestRemoteIpValve.java
index 99016ddaad..ad1a8f97ad 100644
--- a/test/org/apache/catalina/valves/TestRemoteIpValve.java
+++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import java.util.regex.Pattern;
import javax.servlet.ServletException;
@@ -1185,4 +1186,31 @@ public class TestRemoteIpValve {
}
Assert.assertTrue(a.isEmpty());
}
+
+ @Test
+ public void testInternalProxies() throws Exception {
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ Pattern internalProxiesPattern = Pattern.compile(remoteIpValve.getInternalProxies());
+
+ doTestPattern(internalProxiesPattern, "8.8.8.8", false);
+ doTestPattern(internalProxiesPattern, "100.62.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.63.255.255", false);
+ doTestPattern(internalProxiesPattern, "100.64.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.65.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.68.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.72.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.88.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.95.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.102.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.110.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.126.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.127.255.255", true);
+ doTestPattern(internalProxiesPattern, "100.128.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+ }
+
+ private void doTestPattern(Pattern pattern, String input, boolean expectedMatch) {
+ boolean match = pattern.matcher(input).matches();
+ Assert.assertEquals(input, Boolean.valueOf(expectedMatch), Boolean.valueOf(match));
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9a76577247..b6e47c301a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -121,6 +121,12 @@
external web server. Based on code and ideas from pull request
<pr>506</pr> provided by Max Fortun. (remm)
</add>
+ <add>
+ <bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
+ (100.64.0.0/10) to the regular expression used to identify internal
+ proxies for the <code>RemoteIpFilter</code> and
+ <code>RemoteIpValve</code>. (markt)
+ </add>
<fix>
<bug>66471</bug>: Fix JSessionId secure attribute missing When
<code>RemoteIpFilter</code> determines that this request was submitted
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 671de40d13..708dd2a8fe 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1575,7 +1575,7 @@ FINE: Request "/docs/config/manager.html" with response status "200"
Internal proxies that appear in the <strong>remoteIpHeader</strong> will
be trusted and will not appear in the <strong>proxiesHeader</strong>
value. If not specified the default value of <code>
- 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+ 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
</code> will be used.</p>
</attribute>
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 2304f4c231..cb7ccdeadd 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1088,7 +1088,7 @@
Internal proxies that appear in the <strong>remoteIpHeader</strong> will
be trusted and will not appear in the <strong>proxiesHeader</strong>
value. If not specified the default value of <code>
- 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+ 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
</code> will be used.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org