You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/12/06 14:39:29 UTC
svn commit: r1848322 - in /tomcat/trunk:
java/org/apache/catalina/filters/RemoteIpFilter.java
java/org/apache/catalina/valves/RemoteIpValve.java webapps/docs/changelog.xml
Author: markt
Date: Thu Dec 6 14:39:29 2018
New Revision: 1848322
URL: http://svn.apache.org/viewvc?rev=1848322&view=rev
Log:
Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header.
Based on a patch provided by Tom Groot.
Modified:
tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java
tomcat/trunk/java/org/apache/catalina/valves/RemoteIpValve.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java?rev=1848322&r1=1848321&r2=1848322&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java Thu Dec 6 14:39:29 2018
@@ -77,7 +77,7 @@ import org.apache.tomcat.util.http.FastH
* <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
* </ul>
* </li>
- * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-for</code>) equals to the value of
+ * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-proto</code>) consists only of forwards that match
* <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
* <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
* <code>$httpsServerPort</code> configuration parameter.</li>
@@ -805,8 +805,9 @@ public class RemoteIpFilter extends Gene
if (protocolHeader != null) {
String protocolHeaderValue = request.getHeader(protocolHeader);
if (protocolHeaderValue == null) {
- // don't modify the secure,scheme and serverPort attributes of the request
- } else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
+ // Don't modify the secure, scheme and serverPort attributes
+ // of the request
+ } else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
xRequest.setSecure(true);
xRequest.setScheme("https");
setPorts(xRequest, httpsServerPort);
@@ -850,6 +851,26 @@ public class RemoteIpFilter extends Gene
}
+ /*
+ * Considers the value to be secure if it exclusively holds forwards for
+ * {@link #protocolHeaderHttpsValue}.
+ */
+ private boolean isForwardedProtoHeaderValueSecure(String protocolHeaderValue) {
+ if (!protocolHeaderValue.contains(",")) {
+ return protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue);
+ }
+ String[] forwardedProtocols = commaDelimitedListToStringArray(protocolHeaderValue);
+ if (forwardedProtocols.length == 0) {
+ return false;
+ }
+ for (int i = 0; i < forwardedProtocols.length; i++) {
+ if (!protocolHeaderHttpsValue.equalsIgnoreCase(forwardedProtocols[i])) {
+ return false;
+ }
+ }
+ return true;
+ }
+
private void setPorts(XForwardedRequest xrequest, int defaultPort) {
int port = defaultPort;
if (getPortHeader() != null) {
Modified: tomcat/trunk/java/org/apache/catalina/valves/RemoteIpValve.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/RemoteIpValve.java?rev=1848322&r1=1848321&r2=1848322&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/valves/RemoteIpValve.java (original)
+++ tomcat/trunk/java/org/apache/catalina/valves/RemoteIpValve.java Thu Dec 6 14:39:29 2018
@@ -638,7 +638,7 @@ public class RemoteIpValve extends Valve
if (protocolHeader != null) {
String protocolHeaderValue = request.getHeader(protocolHeader);
if (protocolHeaderValue == null) {
- // don't modify the secure,scheme and serverPort attributes
+ // Don't modify the secure, scheme and serverPort attributes
// of the request
} else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
request.setSecure(true);
@@ -699,7 +699,7 @@ public class RemoteIpValve extends Valve
}
}
- /**
+ /*
* Considers the value to be secure if it exclusively holds forwards for
* {@link #protocolHeaderHttpsValue}.
*/
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1848322&r1=1848321&r2=1848322&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Dec 6 14:39:29 2018
@@ -119,6 +119,11 @@
the <code>x-forwarded-proto</code> header. Patch provided by Tom Groot.
(markt)
</fix>
+ <fix>
+ Update the RemoteIpFilter to handle multiple values in the
+ <code>x-forwarded-proto</code> header. Based on a patch provided by Tom
+ Groot. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org