markt-asf commented on PR #993: URL: https://github.com/apache/tomcat/pull/993#issuecomment-4266435001
If the remote IP valve/filter is being used, then the data is being provided from a trusted source and can assume to be valid. If validation were to be added then it would be a "defence in depth" measure. Adding validation slows down every request. Yes, invalid data may cause problems but I am not convinced the risk of that (given that the source data should be correct) justifies the per request cost of validation. Maybe making validation optional is a way forward. The proposed validation is insufficient and allows more characters than are permitted in IP addresses. Validation by character is insufficient. It will not prevent an IP address like "999.999.999.999". If validation is going to be applied then it needs to be complete. There is code that might help in HttpParser (although it can't be used as-is unless it is decided that host names are acceptable in the header). Given that the remote IP valve/filter is providing security related functionality (the new remote IP will be used to make security decisions and/or generate security logs) then I'm not sure, if the data is going to be validated, that ignoring invalid data is correct. Rejection with a 400 seems more appropriate. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
