https://issues.apache.org/bugzilla/show_bug.cgi?id=50453
Summary: Multiple X-Forwarded-For headers not handled by
RemoteIP valve
Product: Tomcat 6
Version: 6.0.29
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: [email protected]
ReportedBy: [email protected]
When a request comes in with multiple X-Forwarded-For headers the RemoteIP
valve should be examining all of them in reverse order.
As defined by the standard:
"Multiple message-header fields with the same field-name MAY be present in a
message if and only if the entire field-value for that header field is defined
as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the
multiple header fields into one "field-name: field-value" pair, without
changing the semantics of the message, by appending each subsequent field-value
to the first, each separated by a comma. The order in which header fields with
the same field-name are received is therefore significant to the interpretation
of the combined field value, and thus a proxy MUST NOT change the order of
these field values when a message is forwarded."
thus:
(a)
X-Forwarded-For: 192.168.0.3
X-Forwarded-For: 222.234.0.4
Is semantically equivalent to:
(b)
X-Forwarded-For: 192.168.0.3, 222.234.0.4
However (a) is not handled by the RemoteIP valve as it only ever looks at the
first header.
For reference, this was raised on the HAproxy mailing list:
http://www.formilux.org/archives/haproxy/1012/4122.html
and tomcat user's mailing list:
http://mail-archives.apache.org/mod_mbox/tomcat-users/201012.mbox/%[email protected]%3e
Tomcat users suggested raising a bug. Hence this.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
