-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon,
On 11/2/12 12:27 PM, Simon Dean wrote: >> -----Original Message----- From: Caldarale, Charles R >> [mailto:chuck.caldar...@unisys.com] Sent: 31 October 2012 20:35 >> To: Tomcat Users List Subject: RE: Comma related bug in >> org.apache.catalina.valves.RemoteIpValve >> >>> From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Comma >>> related bug in org.apache.catalina.valves.RemoteIpValve >> >>> We'll probably end up with something like >> <tag>"regex1","regex2",...</tag>. >>> Or a single regex, with "|" between the alternatives (which >>> could be a workaround for you now, I guess). >> >> I have a vague memory of a discussion on either the dev or users' >> list about simply removing the comma separation, and using just >> regex standard formats. As I recall, the final resolution was to >> remove the comma separation in Tomcat 7, but keep it in 6 for >> compatibility - even if it is broken and not completely >> resolvable. If you look at the RemoteIpValve doc for 7, you'll >> see there's no mention of comma-separated regexes. > > Yep. Tomcat 7 is treating the values as whole regexes (taking advantage of regular expressions' logical OR operation - the pipe symbol). > > In Tomcat 6 though, there is a real bug with the current > documentation and implementation. The documentation gives example > values for internalProxies that have commas in the regex. See > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve > and > http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html > > Both specify the following as the default value for internalProxies: > > 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, > 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} > > But that value won't work if you assigned it to internalProxies > because it has commas in the "{1,3}" bit. Worse still, the valve > silently fails, giving no feedback that there's anything wrong. > > Quick remedies would be to change the code and documentation to > use this as the default: > > 10\.\d{1,3}\.\d+\.\d{1,3}, 192\.168\.\d+\.\d+, 169\.254\.\d+\.\d+, > 127\.\d+\.\d+\.\d+ > > Which replaces "{1,3}" with "+". You missed a few, and you could be safer. Instead of using \d{1,3} in general for an octet, I would recommend something like this: 0|1[0-9][0-9]?|2([0-4][0-9]|5[0-5]|[6-9]) This disallows things like 123.456.789.999, though it is a bit more complicated. It does not contain any commas, though. For an example on the site, though, a simple \d+ should suffice. > Also adding a warning about commas to the code and documentation > would also go a long way. Patches -- especially to the documentation -- are always welcome. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCUNncACgkQ9CaO5/Lv0PBamwCePBZqFmdCcGOA8xyoN0R4RbRV HuIAn38zzplbPoxHuvr9r9JuJKnzavDv =8e47 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org