Update the RemoteIpFilter to handle multiple values in the x-forwarde…

…d-proto header. Based on a patch provided by Tom Groot. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1848322 13f79535-47bb-0310-9956-ffa450edef68
apache · Dec 6, 2018 · 01695d6 · 01695d6
1 parent 3b86f09
commit 01695d6
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 5 deletions.
diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java b/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -77,7 +77,7 @@
  * <li>otherwise, the ip/host is declared to be the remote ip and looping is stopped.</li>
  * </ul>
  * </li>
- * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-for</code>) equals to the value of
+ * <li>If the request http header named <code>$protocolHeader</code> (e.g. <code>x-forwarded-proto</code>) consists only of forwards that match
  * <code>protocolHeaderHttpsValue</code> configuration parameter (default <code>https</code>) then <code>request.isSecure = true</code>,
  * <code>request.scheme = https</code> and <code>request.serverPort = 443</code>. Note that 443 can be overwritten with the
  * <code>$httpsServerPort</code> configuration parameter.</li>
@@ -805,8 +805,9 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
             if (protocolHeader != null) {
                 String protocolHeaderValue = request.getHeader(protocolHeader);
                 if (protocolHeaderValue == null) {
-                    // don't modify the secure,scheme and serverPort attributes of the request
-                } else if (protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) {
+                    // Don't modify the secure, scheme and serverPort attributes
+                    // of the request
+                } else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
                     xRequest.setSecure(true);
                     xRequest.setScheme("https");
                     setPorts(xRequest, httpsServerPort);
@@ -850,6 +851,26 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
 
     }
 
+    /*
+     * Considers the value to be secure if it exclusively holds forwards for
+     * {@link #protocolHeaderHttpsValue}.
+     */
+    private boolean isForwardedProtoHeaderValueSecure(String protocolHeaderValue) {
+        if (!protocolHeaderValue.contains(",")) {
+            return protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue);
+        }
+        String[] forwardedProtocols = commaDelimitedListToStringArray(protocolHeaderValue);
+        if (forwardedProtocols.length == 0) {
+            return false;
+        }
+        for (int i = 0; i < forwardedProtocols.length; i++) {
+            if (!protocolHeaderHttpsValue.equalsIgnoreCase(forwardedProtocols[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+
     private void setPorts(XForwardedRequest xrequest, int defaultPort) {
         int port = defaultPort;
         if (getPortHeader() != null) {

diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -638,7 +638,7 @@ public void invoke(Request request, Response response) throws IOException, Servl
             if (protocolHeader != null) {
                 String protocolHeaderValue = request.getHeader(protocolHeader);
                 if (protocolHeaderValue == null) {
-                    // don't modify the secure,scheme and serverPort attributes
+                    // Don't modify the secure, scheme and serverPort attributes
                     // of the request
                 } else if (isForwardedProtoHeaderValueSecure(protocolHeaderValue)) {
                     request.setSecure(true);
@@ -699,7 +699,7 @@ public void invoke(Request request, Response response) throws IOException, Servl
         }
     }
 
-    /**
+    /*
      * Considers the value to be secure if it exclusively holds forwards for
      * {@link #protocolHeaderHttpsValue}.
      */

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -119,6 +119,11 @@
         the <code>x-forwarded-proto</code> header. Patch provided by Tom Groot.
         (markt)
       </fix>
+      <fix>
+        Update the RemoteIpFilter to handle multiple values in the
+        <code>x-forwarded-proto</code> header. Based on a patch provided by Tom
+        Groot. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">