DO NOT REPLY [Bug 50453] New: Multiple X-Forwarded-For headers not handled by RemoteIP valve

Fri, 10 Dec 2010 06:30:11 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=50453

           Summary: Multiple X-Forwarded-For headers not handled by
                    RemoteIP valve
           Product: Tomcat 6
           Version: 6.0.29
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: brett.dellegra...@intact-is.com


When a request comes in with multiple X-Forwarded-For headers the RemoteIP
valve should be examining all of them in reverse order.

As defined by the standard:
"Multiple message-header fields with the same field-name MAY be present in a
message if and only if the entire field-value for that header field is defined
as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the
multiple header fields into one "field-name: field-value" pair, without
changing the semantics of the message, by appending each subsequent field-value
to the first, each separated by a comma. The order in which header fields with
the same field-name are received is therefore significant to the interpretation
of the combined field value, and thus a proxy MUST NOT change the order of
these field values when a message is forwarded."

thus:
(a)
X-Forwarded-For: 192.168.0.3
X-Forwarded-For: 222.234.0.4

Is semantically equivalent to:
(b)
X-Forwarded-For: 192.168.0.3, 222.234.0.4

However (a) is not handled by the RemoteIP valve as it only ever looks at the
first header.

For reference, this was raised on the HAproxy mailing list:
http://www.formilux.org/archives/haproxy/1012/4122.html
and tomcat user's mailing list:
http://mail-archives.apache.org/mod_mbox/tomcat-users/201012.mbox/%3c4d022c57.1070...@apache.org%3e

Tomcat users suggested raising a bug. Hence this.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to