RemoteIpValve lacking default 172.16/12

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I was looking at the Javadoc for RemoteIpValve's internalProxies
attribute and I saw this comment:

"
172.16/12 has not been enabled by default because it is complex to
describe with regular expressions.
"

I'm not sure that is true. This regex ought to do it:

172\.(1[6-9]|2(5[0-5]|[6-9])|[3-9][0-9])\.\d+\.\d+

Any takers?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCUPVIACgkQ9CaO5/Lv0PAVhgCeLmVyvEK4vzIYLw/sNDD5q/F0
Uw4AniaMfn4VGgApnxrki/sSPw8/5daM
=d04x
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: RemoteIpValve lacking default 172.16/12

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 11/6/12 2:03 PM, Konstantin Kolinko wrote:
> 2012/11/3 Christopher Schultz <ch...@christopherschultz.net>:
>> 
>> I was looking at the Javadoc for RemoteIpValve's internalProxies 
>> attribute and I saw this comment:
>> 
>> " 172.16/12 has not been enabled by default because it is complex
>> to describe with regular expressions. "
>> 
>> I'm not sure that is true. This regex ought to do it:
>> 
>> 172\.(1[6-9]|2(5[0-5]|[6-9])|[3-9][0-9])\.\d+\.\d+
>> 
>> Any takers?
>> 
> 
> That "2(5".. part is strange and wrong. What you are trying to do
> with it?

Allow .25x. but not .26x (as that would be >8 bits).

> According to Wikipedia [1], the range is 172.16.0.0 -
> 172.31.255.255

Oddly enough, I used a python script I found online to convert
172.16.0.0/12 into a regular expression and it produced:

^172\.2\d|1[6-9]|3[01]\.\d+\.\d+$

That didn't seem right to me at the time: my netmask math was failing
me, evidently.

> So maybe  172\.(1[6-9])|(2\d)|(3[01])\.\d\d?\d?\.\d\d?\d?
> 
> That will be 16-19, 20-29, 30-31 for the second byte.
> 
> (I'd be better to have some unit tests, to be sure).

I'm not sure how stringent we want our regexes to be, but \d\d\d is a
bit lenient. Since these IP addresses are coming-in as strings from
HTTP headers and not as 4-byte values, is it a good idea to permit
insane IPv4 addresses like 123.456.789.888?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCZaJ8ACgkQ9CaO5/Lv0PCmQQCfcOoCi5MubVGKyV3dhtVbmx2H
3S8AoKBK2CXWGA8TFiNS3cNDG2GEvw2+
=cPjy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: RemoteIpValve lacking default 172.16/12

[Konstantin Kolinko <kn...@gmail.com>]

2012/11/3 Christopher Schultz <ch...@christopherschultz.net>:
>
> I was looking at the Javadoc for RemoteIpValve's internalProxies
> attribute and I saw this comment:
>
> "
> 172.16/12 has not been enabled by default because it is complex to
> describe with regular expressions.
> "
>
> I'm not sure that is true. This regex ought to do it:
>
> 172\.(1[6-9]|2(5[0-5]|[6-9])|[3-9][0-9])\.\d+\.\d+
>
> Any takers?
>

That "2(5".. part is strange and wrong. What you are trying to do with it?

According to Wikipedia [1], the range is
172.16.0.0 - 172.31.255.255

So maybe  172\.(1[6-9])|(2\d)|(3[01])\.\d\d?\d?\.\d\d?\d?

That will be 16-19, 20-29, 30-31 for the second byte.

(I'd be better to have some unit tests, to be sure).

[1] http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org