(tomcat) branch 11.0.x updated: Fix BZ 69600 = Add IPv6 local addresses to default internal proxies

markt Fri, 28 Mar 2025 04:38:27 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/11.0.x by this push:
     new dfa7b11c5a Fix BZ 69600 = Add IPv6 local addresses to default internal 
proxies
dfa7b11c5a is described below

commit dfa7b11c5a2beae3da0f2ba46cb320d5b4b2a5db
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Mar 28 11:38:02 2025 +0000

    Fix BZ 69600 = Add IPv6 local addresses to default internal proxies
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=69600
---
 java/org/apache/catalina/filters/RemoteIpFilter.java |  3 ++-
 java/org/apache/catalina/valves/RemoteIpValve.java   |  3 ++-
 .../apache/catalina/filters/TestRemoteIpFilter.java  | 20 ++++++++++++++++++++
 .../apache/catalina/valves/TestRemoteIpValve.java    | 20 ++++++++++++++++++++
 webapps/docs/changelog.xml                           |  5 +++++
 webapps/docs/config/filter.xml                       |  2 +-
 webapps/docs/config/valve.xml                        |  2 +-
 7 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java 
b/java/org/apache/catalina/filters/RemoteIpFilter.java
index c4d28f9a56..501543fb36 100644
--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -692,7 +692,8 @@ public class RemoteIpFilter extends GenericFilter {
                     "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
-                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1");
+                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1|" +
+                    "fe[89ab]\\p{XDigit}:.*|" + "f[cd]\\p{XDigit}{2}+:.*");
 
     /**
      * @see #setProtocolHeader(String)
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java 
b/java/org/apache/catalina/valves/RemoteIpValve.java
index b10fdb8a36..5a16e0dbf5 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -389,7 +389,8 @@ public class RemoteIpValve extends ValveBase {
                     "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
-                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1");
+                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1|" +
+                    "fe[89ab]\\p{XDigit}:.*|" + "f[cd]\\p{XDigit}{2}+:.*");
 
     /**
      * @see #setProtocolHeader(String)
diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java 
b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
index 4effc5b3df..4ace52b5e5 100644
--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
@@ -861,6 +861,26 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
         doTestPattern(internalProxiesPattern, "100.127.255.255", true);
         doTestPattern(internalProxiesPattern, "100.128.0.0", false);
         doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+        // Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fe80::", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fe80::1", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fec0::", false);
+        // Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fc00::", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fc00::1", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fe00::", false);
     }
 
     private void doTestPattern(Pattern pattern, String input, boolean 
expectedMatch) {
diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java 
b/test/org/apache/catalina/valves/TestRemoteIpValve.java
index 41f934e37a..f394b24ec4 100644
--- a/test/org/apache/catalina/valves/TestRemoteIpValve.java
+++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java
@@ -1195,6 +1195,26 @@ public class TestRemoteIpValve {
         doTestPattern(internalProxiesPattern, "100.127.255.255", true);
         doTestPattern(internalProxiesPattern, "100.128.0.0", false);
         doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+        // Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fe80::", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fe80::1", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fec0::", false);
+        // Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fc00::", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fc00::1", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fe00::", false);
     }
 
     private void doTestPattern(Pattern pattern, String input, boolean 
expectedMatch) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index aa2d90cd6a..8e49a8c2cf 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -153,6 +153,11 @@
         made from within a web application with resource caching enabled.
         (markt)
       </fix>
+      <fix>
+        <bug>69600</bug>: Add IPv6 local addresses (RFC 4193 and RFC 4291) to
+        the default internal proxies for the RemoteIpFilter and RemoteIpValve.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index c69c6d1cbb..c3d1c98bf4 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1744,7 +1744,7 @@ FINE: Request "/docs/config/manager.html" with response 
status "200"
         Internal proxies that appear in the <strong>remoteIpHeader</strong> 
will
         be trusted and will not appear in the <strong>proxiesHeader</strong>
         value. If not specified the default value of <code>
-        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1|::1|fe[89ab]\p{XDigit}:.*|"f[cd]\p{XDigit}{2}+:.*
         </code> will be used.</p>
       </attribute>
 
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index add9753ecf..8a7431bb57 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1196,7 +1196,7 @@
         Internal proxies that appear in the <strong>remoteIpHeader</strong> 
will
         be trusted and will not appear in the <strong>proxiesHeader</strong>
         value. If not specified the default value of <code>
-        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1|::1|fe[89ab]\p{XDigit}:.*|"f[cd]\p{XDigit}{2}+:.*
         </code> will be used.</p>
       </attribute>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 11.0.x updated: Fix BZ 69600 = Add IPv6 local addresses to default internal proxies

Reply via email to