You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Benjamin Steinert <be...@comsysto.com> on 2012/09/25 11:10:40 UTC

X-Forwarded-For handling in method getRemoteAddr()

Hi everyone,

I need you input regarding the Wicket  WebClientInfo implementation of
getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not
change in release 6):

...
String remoteAddr = request.getHeader("X-Forwarded-For");
  if (remoteAddr == null)
  {
    remoteAddr = req.getRemoteAddr();
  }
  else
  {
    if (remoteAddr.contains(","))
    {
    // we just want the client
      remoteAddr = remoteAddr.split(",")[0].trim();
    }
  }
return remoteAddr;

I am facing the problem that we get the String "unknown" set by some
Proxy in the Forwarded-For field.
According to the IETF draft this is in fact a valid value:
http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6

Now unfortunately the the simple null check prevents falling back to the
Servlet request based getRemoteAddr which would be more helpful than
having a String that is no IP Address.

I would suggest something like
if (remoteAddr == null ||
  !InetAddressValidator.getInstance().isValid(remoteAddr))
{ ... }

to ensure that the given value is an IP. What would you say? Bug,
Feature or simply unnecessary? ;)

Cheers
Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: X-Forwarded-For handling in method getRemoteAddr()

Posted by Martin Grigorov <mg...@apache.org>.

Hi,

Please file a ticket to improve this.
Thanks!

On Tue, Sep 25, 2012 at 12:10 PM, Benjamin Steinert
<be...@comsysto.com> wrote:
> Hi everyone,
>
> I need you input regarding the Wicket  WebClientInfo implementation of
> getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not
> change in release 6):
>
> ...
> String remoteAddr = request.getHeader("X-Forwarded-For");
>   if (remoteAddr == null)
>   {
>     remoteAddr = req.getRemoteAddr();
>   }
>   else
>   {
>     if (remoteAddr.contains(","))
>     {
>     // we just want the client
>       remoteAddr = remoteAddr.split(",")[0].trim();
>     }
>   }
> return remoteAddr;
>
> I am facing the problem that we get the String "unknown" set by some
> Proxy in the Forwarded-For field.
> According to the IETF draft this is in fact a valid value:
> http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6
>
> Now unfortunately the the simple null check prevents falling back to the
> Servlet request based getRemoteAddr which would be more helpful than
> having a String that is no IP Address.
>
> I would suggest something like
> if (remoteAddr == null ||
>   !InetAddressValidator.getInstance().isValid(remoteAddr))
> { ... }
>
> to ensure that the given value is an IP. What would you say? Bug,
> Feature or simply unnecessary? ;)
>
> Cheers
> Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>



-- 
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: X-Forwarded-For handling in method getRemoteAddr()

Posted by Igor Vaynberg <ig...@gmail.com>.

On Tue, Sep 25, 2012 at 2:10 AM, Benjamin Steinert
<be...@comsysto.com> wrote:
> Hi everyone,
>
> I need you input regarding the Wicket  WebClientInfo implementation of
> getRemoteAddr() (extracted from Wicket 1.5.3 but I think it did not
> change in release 6):
>
> ...
> String remoteAddr = request.getHeader("X-Forwarded-For");
>   if (remoteAddr == null)
>   {
>     remoteAddr = req.getRemoteAddr();
>   }
>   else
>   {
>     if (remoteAddr.contains(","))
>     {
>     // we just want the client
>       remoteAddr = remoteAddr.split(",")[0].trim();
>     }
>   }
> return remoteAddr;
>
> I am facing the problem that we get the String "unknown" set by some
> Proxy in the Forwarded-For field.
> According to the IETF draft this is in fact a valid value:
> http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-6
>
> Now unfortunately the the simple null check prevents falling back to the
> Servlet request based getRemoteAddr which would be more helpful than
> having a String that is no IP Address.

how is an ip address of some proxy in your data center more useful? i
dont think an external proxy would set such a header....

-igor

>
> I would suggest something like
> if (remoteAddr == null ||
>   !InetAddressValidator.getInstance().isValid(remoteAddr))
> { ... }
>
> to ensure that the given value is an IP. What would you say? Bug,
> Feature or simply unnecessary? ;)
>
> Cheers
> Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org