https://issues.apache.org/bugzilla/show_bug.cgi?id=50453
Summary: Multiple X-Forwarded-For headers not handled by RemoteIP valve Product: Tomcat 6 Version: 6.0.29 Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: brett.dellegra...@intact-is.com When a request comes in with multiple X-Forwarded-For headers the RemoteIP valve should be examining all of them in reverse order. As defined by the standard: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded." thus: (a) X-Forwarded-For: 192.168.0.3 X-Forwarded-For: 222.234.0.4 Is semantically equivalent to: (b) X-Forwarded-For: 192.168.0.3, 222.234.0.4 However (a) is not handled by the RemoteIP valve as it only ever looks at the first header. For reference, this was raised on the HAproxy mailing list: http://www.formilux.org/archives/haproxy/1012/4122.html and tomcat user's mailing list: http://mail-archives.apache.org/mod_mbox/tomcat-users/201012.mbox/%3c4d022c57.1070...@apache.org%3e Tomcat users suggested raising a bug. Hence this. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org