> -----Original Message----- > From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] > Sent: 31 October 2012 20:35 > To: Tomcat Users List > Subject: RE: Comma related bug in > org.apache.catalina.valves.RemoteIpValve > > > From: André Warnier [mailto:a...@ice-sa.com] > > Subject: Re: Comma related bug in > > org.apache.catalina.valves.RemoteIpValve > > > We'll probably end up with something like > <tag>"regex1","regex2",...</tag>. > > Or a single regex, with "|" between the alternatives (which could be a > > workaround for you now, I guess). > > I have a vague memory of a discussion on either the dev or users' list about > simply removing the comma separation, and using just regex standard > formats. As I recall, the final resolution was to remove the comma > separation in Tomcat 7, but keep it in 6 for compatibility - even if it is > broken > and not completely resolvable. If you look at the RemoteIpValve doc for 7, > you'll see there's no mention of comma-separated regexes.
Yep. Tomcat 7 is treating the values as whole regexes (taking advantage of regular expressions' logical OR operation - the pipe symbol). In Tomcat 6 though, there is a real bug with the current documentation and implementation. The documentation gives example values for internalProxies that have commas in the regex. See http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve and http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html Both specify the following as the default value for internalProxies: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} But that value won't work if you assigned it to internalProxies because it has commas in the "{1,3}" bit. Worse still, the valve silently fails, giving no feedback that there's anything wrong. Quick remedies would be to change the code and documentation to use this as the default: 10\.\d{1,3}\.\d+\.\d{1,3}, 192\.168\.\d+\.\d+, 169\.254\.\d+\.\d+, 127\.\d+\.\d+\.\d+ Which replaces "{1,3}" with "+". Also adding a warning about commas to the code and documentation would also go a long way. > > The moral of the story: upgrade. > > - Chuck ----------------------------------------------------------------------------------------------------------------------------------------- The information contained in this message may be CONFIDENTIAL and is intended for the addressee only. Any unauthorised use, dissemination of the information, or copying of this message is prohibited. If you are not the addressee, please notify the sender immediately by return e-mail and delete this message. Although this e-mail and any attachments are believed to be free of any virus, or other defect which might affect any computer or system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Moneysupermarket.com Financial Group Limited for any loss or damage from receipt or use thereof. The views expressed are of the individual, and do not necessarily reflect the views of Moneysupermarket.com Financial Group Limited. Moneysupermarket.com Limited is an appointed representative of Moneysupermarket.com Financial Group Limited, which is authorised and regulated by the Financial Services Authority (FSA FRN 303190). Moneysupermarket.com Financial Group Limited, registered in England No. 3157344. Registered Office: Moneysupermarket House, St. David’s Park, Ewloe, CH5 3UZ. Telephone 01244 665700. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
