You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/11/11 19:12:00 UTC

[Bug 58603] New: RemoteIpFilter does not adjust getRequestURL()

https://bz.apache.org/bugzilla/show_bug.cgi?id=58603

            Bug ID: 58603
           Summary: RemoteIpFilter does not adjust getRequestURL()
           Product: Tomcat 8
           Version: 8.0.28
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: cristiklein@gmail.com

Created attachment 33272
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33272&action=edit
Details for how to reproduce the bug

When putting an HTTP server behind a forwarder -- such as nginx or Amazon
CloudFront -- special HTTP headers are sent -- such as X-Forwarded-Proto and
X-Forwarded-For -- to allow the server to reconstruct the URL that the client
used for making the request. This is important, for example, to construct a
meaningful "Location" HTTP response header.

The purpose of the RemoteIpFilter is to give servlets the impression that they
are operating on the original, pre-forwarded request. Hence, without changing
any line of code, the existing servlets can construct meaningful URL for the
client.

Unfortunately, the wrapped request that RemoteIpFilter produces does not
correctly implement getRequestURL(). In fact, it simply forwards this call to
the wrapped request, which contains non-meaningful information about e.g., the
HTTP schema [1][2]. This currently breaks Jetty, which relies on getRequestURL
to construct a correct "Location" header [3]. (See attachment for details on
how to reproduce the bug.)

I'm not sure what the best technical solution would be. Should
RemoteIpFilter.XForwardedRequest implement its own getRequestURL? I haven't
found an implementation for it. Could somebody point me to it?

[1]
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.tomcat/tomcat-catalina/8.0.24/org/apache/catalina/filters/RemoteIpFilter.java#444
[2]
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.tomcat/tomcat-servlet-api/8.0.24/javax/servlet/http/HttpServletRequestWrapper.java#212
[3]
http://grepcode.com/file/repo1.maven.org/maven2/org.glassfish.jersey.containers/jersey-container-servlet-core/2.19/org/glassfish/jersey/servlet/ServletContainer.java#253

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 58603] RemoteIpFilter does not adjust getRequestURL()

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58603

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report. This has been fixed in trunk, 8.0.x (for 8.0.29 onwards)
and 7.0.x (for 7.0.66 onwards).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org