(tomcat) branch 9.0.x updated: Fix BZ 69600 = Add IPv6 local addresses to default internal proxies

markt Fri, 28 Mar 2025 04:38:52 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 2bace971ad Fix BZ 69600 = Add IPv6 local addresses to default internal 
proxies
2bace971ad is described below

commit 2bace971ada62f20a01a7a5dc1c594a6cc5f3a84
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Mar 28 11:38:02 2025 +0000

    Fix BZ 69600 = Add IPv6 local addresses to default internal proxies
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=69600
---
 java/org/apache/catalina/filters/RemoteIpFilter.java |  3 ++-
 java/org/apache/catalina/valves/RemoteIpValve.java   |  3 ++-
 .../apache/catalina/filters/TestRemoteIpFilter.java  | 20 ++++++++++++++++++++
 .../apache/catalina/valves/TestRemoteIpValve.java    | 20 ++++++++++++++++++++
 webapps/docs/changelog.xml                           |  5 +++++
 webapps/docs/config/filter.xml                       |  2 +-
 webapps/docs/config/valve.xml                        |  2 +-
 7 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java 
b/java/org/apache/catalina/filters/RemoteIpFilter.java
index 0a118b58bc..84b7f7588c 100644
--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -748,7 +748,8 @@ public class RemoteIpFilter extends GenericFilter {
                     "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
-                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1");
+                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1|" +
+                    "fe[89ab]\\p{XDigit}:.*|" + "f[cd]\\p{XDigit}{2}+:.*");
 
     /**
      * @see #setProtocolHeader(String)
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java 
b/java/org/apache/catalina/valves/RemoteIpValve.java
index 08ab9bf254..ea50972960 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -433,7 +433,8 @@ public class RemoteIpValve extends ValveBase {
                     "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
                     "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" +
-                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1");
+                    "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" + 
"0:0:0:0:0:0:0:1|::1|" +
+                    "fe[89ab]\\p{XDigit}:.*|" + "f[cd]\\p{XDigit}{2}+:.*");
 
     /**
      * @see #setProtocolHeader(String)
diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java 
b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
index 9608d46526..8bc51126e6 100644
--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
@@ -862,6 +862,26 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
         doTestPattern(internalProxiesPattern, "100.127.255.255", true);
         doTestPattern(internalProxiesPattern, "100.128.0.0", false);
         doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+        // Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fe80::", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fe80::1", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fec0::", false);
+        // Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fc00::", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fc00::1", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fe00::", false);
     }
 
     private void doTestPattern(Pattern pattern, String input, boolean 
expectedMatch) {
diff --git a/test/org/apache/catalina/valves/TestRemoteIpValve.java 
b/test/org/apache/catalina/valves/TestRemoteIpValve.java
index cc8d4d95dd..ed616ec2a0 100644
--- a/test/org/apache/catalina/valves/TestRemoteIpValve.java
+++ b/test/org/apache/catalina/valves/TestRemoteIpValve.java
@@ -1217,6 +1217,26 @@ public class TestRemoteIpValve {
         doTestPattern(internalProxiesPattern, "100.127.255.255", true);
         doTestPattern(internalProxiesPattern, "100.128.0.0", false);
         doTestPattern(internalProxiesPattern, "100.130.0.0", false);
+        // Bug 69600 - IPv6 RFC 4193 Unique Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fe79:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fe80::", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fe80::1", true);
+        doTestPattern(internalProxiesPattern, 
"fe80:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fec0:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fec0::", false);
+        // Bug 69600 - IPv6 RFC 4291 Link Local IPv6 Unicast Addresses
+        doTestPattern(internalProxiesPattern, 
"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0000", true);
+        doTestPattern(internalProxiesPattern, "fc00::", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:0000:0000:0000:0000:0000:0000:0001", true);
+        doTestPattern(internalProxiesPattern, "fc00::1", true);
+        doTestPattern(internalProxiesPattern, 
"fc00:1234:5678:9abc:def0:1234:5678:9abc", true);
+        doTestPattern(internalProxiesPattern, 
"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true);
+        doTestPattern(internalProxiesPattern, 
"fe00:0000:0000:0000:0000:0000:0000:0000", false);
+        doTestPattern(internalProxiesPattern, "fe00::", false);
     }
 
     private void doTestPattern(Pattern pattern, String input, boolean 
expectedMatch) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index deaf6d543e..b8c4fc28c4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -147,6 +147,11 @@
         made from within a web application with resource caching enabled.
         (markt)
       </fix>
+      <fix>
+        <bug>69600</bug>: Add IPv6 local addresses (RFC 4193 and RFC 4291) to
+        the default internal proxies for the RemoteIpFilter and RemoteIpValve.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml
index 89be25eb61..8d18e04bf9 100644
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -1798,7 +1798,7 @@ FINE: Request "/docs/config/manager.html" with response 
status "200"
         Internal proxies that appear in the <strong>remoteIpHeader</strong> 
will
         be trusted and will not appear in the <strong>proxiesHeader</strong>
         value. If not specified the default value of <code>
-        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1|::1|fe[89ab]\p{XDigit}:.*|"f[cd]\p{XDigit}{2}+:.*
         </code> will be used.</p>
       </attribute>
 
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index baa3bb0d50..be4832abfe 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1191,7 +1191,7 @@
         Internal proxies that appear in the <strong>remoteIpHeader</strong> 
will
         be trusted and will not appear in the <strong>proxiesHeader</strong>
         value. If not specified the default value of <code>
-        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1
+        
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|100\.6[4-9]{1}\.\d{1,3}\.\d{1,3}|100\.[7-9]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.1[0-1]{1}\d{1}\.\d{1,3}\.\d{1,3}|100\.12[0-7]{1}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1|::1|fe[89ab]\p{XDigit}:.*|"f[cd]\p{XDigit}{2}+:.*
         </code> will be used.</p>
       </attribute>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 9.0.x updated: Fix BZ 69600 = Add IPv6 local addresses to default internal proxies

Reply via email to