Our filter is not doing anything fancy (and it has always worked
correctly before we ran into this bug). In pseudo-code:
public doFilter(request, response) {
String ip = request.getRemoteAddr();
boolean isProxy = isProxy(ip);
if (isProxy) {
String unwrappedIP = unwrapXForwardedFor(request);
chain.doFilter(new
MobileProxyHidingServletRequestWrapper(request, unwrappedIP), response);
} else {
chain.doFilter(request, response);
}
}
All that MobileProxyHidingServletRequestWrapper is override
getRemoteAddr() returning unwrappedIP instead of delegating to the
actual request, while unwrapXForwardedFor() does what the name suggests,
which is processing X-Forwarded-For to obtain the originating IP before
it hit the detected proxy.
*Manuel Dominguez Sarmiento*
On 05/02/2020 10:28, Mark Thomas wrote:
On 04/02/2020 22:27, Manuel Dominguez Sarmiento wrote:
We are getting the NPEs in a top-of-the-chain servlet filter which
decorates HttpServletRequest.getRemoteAddr() before actual servlet
processing. Only on HTTP/2 and in a very small number of cases. Perhaps
we should test 9.0.31 and see what happens. When is this new version due
for release?
I'm just working through back-porting some changes and then I'll be
starting the release process. It 9.0.31 should be available towards the
beginning of next week.
Can you expand on what your filter is doing? When is the call made to
HttpServletRequest.getRemoteAddr() on the original request?
Mark
