This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 30732a7053 Fix bug BZ 66460 - add shared address space RFC 6598 to
internal proxies
30732a7053 is described below
commit 30732a7053608689db762eddd615f0c18f60706d
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 15 14:57:19 2023 +0000
Fix bug BZ 66460 - add shared address space RFC 6598 to internal proxies
---
.../apache/catalina/filters/RemoteIpFilter.java | 6 ++++-
java/org/apache/catalina/valves/RemoteIpValve.java | 6 ++++-
.../catalina/filters/TestRemoteIpFilter.java | 29 ++++++++++++++++++++++
.../apache/catalina/valves/TestRemoteIpValve.java | 28 +++++++++++++++++++++
webapps/docs/changelog.xml | 6 +++++
webapps/docs/config/filter.xml | 2 +-
webapps/docs/config/valve.xml | 2 +-
7 files changed, 75 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java
b/java/org/apache/catalina/filters/RemoteIpFilter.java
index 25cb2336a1..fa2b917c97 100644
--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -118,9 +118,11 @@ import org.apache.tomcat.util.res.StringManager;
* <td>Regular expression (in the syntax supported by {@link
java.util.regex.Pattern java.util.regex})</td>
* <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
+ * 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|
+ * 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1 <br>
- * By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and
0:0:0:0:0:0:0:1 are allowed.</td>
+ * By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and
0:0:0:0:0:0:0:1 are allowed.</td>
* </tr>
* <tr>
* <td>proxiesHeader</td>
@@ -718,6 +720,8 @@ public class RemoteIpFilter extends GenericFilter {
private Pattern internalProxies = Pattern
.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" +
"127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"0:0:0:0:0:0:0:1|::1");
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java
b/java/org/apache/catalina/valves/RemoteIpValve.java
index 42ece0d255..a286bb49ba 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -97,9 +97,11 @@ import org.apache.tomcat.util.http.parser.Host;
* <td>Regular expression (in the syntax supported by {@link
java.util.regex.Pattern java.util.regex})</td>
* <td>10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
* 169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
+ * 100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|
+ * 100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|
* 172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|
* 0:0:0:0:0:0:0:1|::1 <br>
- * By default, 10/8, 192.168/16, 169.254/16, 127/8, 172.16/12, and ::1 are
allowed.</td>
+ * By default, 10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and
::1 are allowed.</td>
* </tr>
* <tr>
* <td>proxiesHeader</td>
@@ -402,6 +404,8 @@ public class RemoteIpValve extends ValveBase {
private Pattern internalProxies = Pattern
.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
"192\\.168\\.\\d{1,3}\\.\\d{1,3}|" +
"169\\.254\\.\\d{1,3}\\.\\d{1,3}|" +
"127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
+ "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
"0:0:0:0:0:0:0:1|::1");
diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
index 1706e7ccf7..2387c3cb98 100644
--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
@@ -27,6 +27,7 @@ import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.regex.Pattern;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
@@ -823,6 +824,7 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
Assert.assertTrue(setCookie.contains("Secure"));
Assert.assertTrue(bug66471Servlet.isSecure.booleanValue());
}
+
public static class Bug66471Servlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public Boolean isSecure;
@@ -832,4 +834,31 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
isSecure = (Boolean)
req.getAttribute(Globals.REMOTE_IP_FILTER_SECURE);
}
}
+
+ @Test
+ public void testInternalProxies() throws Exception {
+ RemoteIpFilter remoteIpFilter = new RemoteIpFilter();
+ Pattern internalProxiesPattern = remoteIpFilter.getInternalProxies();
+
+ doTestPattern(internalProxiesPattern, "8.8.8.8", false);
+ doTestPattern(internalProxiesPattern, "100.62.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.63.255.255", false);
+ doTestPattern(internalProxiesPattern, "100.64.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.65.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.68.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.72.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.88.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.95.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.102.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.110.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.126.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.127.255.255", true);
+ doTestPattern(internalProxiesPattern, "100.128.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+ }
+
+ private void doTestPattern(Pattern pattern, String input, boolean
expectedMatch) {
+ boolean match = pattern.matcher(input).matches();
+ Assert.assertEquals(input, Boolean.valueOf(expectedMatch),
Boolean.valueOf(match));
+ }
}
diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java
b/test/org/apache/catalina/valves/TestRemoteIpValve.java
index a47313a864..ec225d7ac8 100644
--- a/test/org/apache/catalina/valves/TestRemoteIpValve.java
+++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import java.util.regex.Pattern;
import jakarta.servlet.ServletException;
@@ -1185,4 +1186,31 @@ public class TestRemoteIpValve {
}
Assert.assertTrue(a.isEmpty());
}
+
+ @Test
+ public void testInternalProxies() throws Exception {
+ RemoteIpValve remoteIpValve = new RemoteIpValve();
+ Pattern internalProxiesPattern =
Pattern.compile(remoteIpValve.getInternalProxies());
+
+ doTestPattern(internalProxiesPattern, "8.8.8.8", false);
+ doTestPattern(internalProxiesPattern, "100.62.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.63.255.255", false);
+ doTestPattern(internalProxiesPattern, "100.64.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.65.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.68.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.72.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.88.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.95.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.102.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.110.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.126.0.0", true);
+ doTestPattern(internalProxiesPattern, "100.127.255.255", true);
+ doTestPattern(internalProxiesPattern, "100.128.0.0", false);
+ doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+ }
+
+ private void doTestPattern(Pattern pattern, String input, boolean
expectedMatch) {
+ boolean match = pattern.matcher(input).matches();
+ Assert.assertEquals(input, Boolean.valueOf(expectedMatch),
Boolean.valueOf(match));
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 736e0894c4..85ef784377 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -170,6 +170,12 @@
external web server. Based on code and ideas from pull request
<pr>506</pr> provided by Max Fortun. (remm)
</add>
+ <add>
+ <bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
+ (100.64.0.0/10) to the regular expression used to identify internal
+ proxies for the <code>RemoteIpFilter</code> and
+ <code>RemoteIpValve</code>. (markt)
+ </add>
<fix>
<bug>66471</bug>: Fix JSessionId secure attribute missing When
<code>RemoteIpFilter</code> determines that this request was submitted
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 8a92c772f6..6dee03d830 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1575,7 +1575,7 @@ FINE: Request "/docs/config/manager.html" with response
status "200"
Internal proxies that appear in the <strong>remoteIpHeader</strong>
will
be trusted and will not appear in the <strong>proxiesHeader</strong>
value. If not specified the default value of <code>
-
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
</code> will be used.</p>
</attribute>
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 8172e28428..53b73e04da 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1087,7 +1087,7 @@
Internal proxies that appear in the <strong>remoteIpHeader</strong>
will
be trusted and will not appear in the <strong>proxiesHeader</strong>
value. If not specified the default value of <code>
-
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
</code> will be used.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
