Attachment #27691 for bug #51953

View | Details | Raw Unified | Return to bug 51953
Collapse All | Expand All

Lines 218-224 Link Here

(-)java/org/apache/catalina/filters/RequestFilter.java (-1 / +1 lines)
218	* @return <code>true</code> if this request should be allowed,	218	* @return <code>true</code> if this request should be allowed,
219	* <code>false</code> otherwise	219	* <code>false</code> otherwise
220	*/	220	*/
221	private boolean isAllowed(String property) {	221	protected boolean isAllowed(String property) {
222	if (deny != null && deny.matcher(property).matches()) {	222	if (deny != null && deny.matcher(property).matches()) {
223	return false;	223	return false;
224	}	224	}




package org.apache.catalina.filters;

import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;


import org.apache.catalina.comet.CometEvent;
import org.apache.catalina.comet.CometFilter;
import org.apache.catalina.comet.CometFilterChain;

import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;

/**
 * Implementation of a Filter that performs filtering based on comparing the
 * appropriate request property (selected based on which subclass you choose
 * to configure into your Container's pipeline) against the regular expressions
 * configured for this Filter.
 * <p>
 * This filter is configured by setting the <code>allow</code> and/or
 * <code>deny</code> properties to a regular expressions (in the syntax
 * supported by {@link java.util.regex.Pattern}) to which the appropriate request property will
 * be compared.  Evaluation proceeds as follows:
 * <ul>
 * <li>The subclass extracts the request property to be filtered, and
 *     calls the common <code>process()</code> method.
 * <li>If there is a deny expression configured, the property will be compared
 *     to the expression. If a match is found, this request will be rejected
 *     with a "Forbidden" HTTP response.</li>
 * <li>If there is a allow expression configured, the property will be compared
 *     to the expression. If a match is found, this request will be allowed to
 *     pass through to the next filter in the current pipeline.</li>
 * <li>If a deny expression was specified but no allow expression, allow this
 *     request to pass through (because none of the deny expressions matched
 *     it).
 * <li>The request will be rejected with a "Forbidden" HTTP response.</li>
 * </ul>
 */

public class RemoteAddrNetmaskFilter
    extends RequestFilter
{
    // ----------------------------------------------------- Instance Variables
    private static final Log log = LogFactory.getLog(RemoteAddrFilter.class);

    /**
     * The matchers used to test for allowed requests.
     */
    protected final List<IPMatcher> allow = new ArrayList<IPMatcher>();

    /**
     * The matchers used to test for denied requests.
     */
    protected final List<IPMatcher> deny = new ArrayList<IPMatcher>();

    // ------------------------------------------------------------- Properties

    // --------------------------------------------------------- Public Methods

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);

        final String denies = super.getDeny();
        for(final String s: denies.split("\\s*,\\s*"))
        {
            try {
                if(s.contains("/"))
                    deny.add(new NetMaskIPMatcher(s));
                else
                    deny.add(new StringIPMatcher(s));
            } catch (IllegalArgumentException e) {
                // FIXME: log
            }
        }

        final String allows = super.getDeny();
        for(final String s: allows.split("\\s*,\\s*"))
        {
            try {
                if(s.contains("/"))
                    allow.add(new NetMaskIPMatcher(s));
                else
                    allow.add(new StringIPMatcher(s));
            } catch (IllegalArgumentException e) {
                // FIXME: log
            }
        }

    }

    public void doFilter(ServletRequest request,
                         ServletResponse response,
                         FilterChain chain)
        throws ServletException, IOException
    {
        process(request.getRemoteAddr(), request, response, chain);
    }                         

    /**
     * Extract the desired request property, and pass it (along with the comet
     * event and filter chain) to the protected <code>process()</code> method
     * to perform the actual filtering.
     *
     * @param event The comet event to be processed
     * @param chain The filter chain for this event
     *
     * @exception IOException if an input/output error occurs
     * @exception ServletException if a servlet error occurs
     */
    @Override
    public void doFilterEvent(CometEvent event, CometFilterChain chain)
            throws IOException, ServletException {
        processCometEvent(event.getHttpServletRequest().getRemoteAddr(),
                event, chain);        
    }

    // ------------------------------------------------------ Protected Methods

    @Override
    protected boolean isAllowed(String property) {
        final InetAddress addr;

        try {
            addr = InetAddress.getByName(property);
        } catch (UnknownHostException e) {
            // FIXME: log
            return false;
        }

        for (final IPMatcher m: deny)
            if (m.matches(addr))
                return false;

        for (final IPMatcher m: allow)
            if (m.matches(addr))
                return true;

        // Allow if denies specified but not allows
        if (!deny.isEmpty() && allow.isEmpty())
            return true;

        // Deny this request
        return false;
    }

    @Override
    protected Log getLogger() {
        return log;
    }

    private interface IPMatcher
    {
        boolean matches(InetAddress address);
    }

    static class StringIPMatcher
        implements IPMatcher
    {
        private String address;

        public StringIPMatcher(final String address)
        {
            this.address = address;
        }

        public boolean matches(final InetAddress address)
        {
            return address.getHostAddress().equals(this.address);
        }
    }

    
    /**
     * A class representing a netmask, which is at the core of this valve.
     *
     * <p>The constructor takes a {@link java.lang.String} representing a
     * CIDR netmask as an argument and extracts two informations from it: the
     * network address and the CIDR. It then turns the address into a
     * {@link java.math.BigInteger}, calculates the right shift and shifts that
     * BigInteger by it.</p>
     * <p>The process to verify whether an IP address falls within the mask
     * is to also convert it to a BigInteger, shifting it right and comparing
     * it to the stored BigInteger.
     * </p>
     */
    static class NetMaskIPMatcher
        implements IPMatcher
    {
        /**
         * The argument to the constructor, used for .toString()
         */
        private final String expression;

        /**
         * The number of bits a matching candidate needs to be shifted right
         * in order to see if it matches
         */
        private final int shift;

        /**
         * The network address, already shifted right
         */
        private final BigInteger mask;

        /**
         * Constructor.
         *
         * @param expression the CIDR netmask
         * @throws IllegalArgumentException if the netmask is not correct
         * (invalid address specification, malformed CIDR prefix, etc)
         */
        public NetMaskIPMatcher(final String expression) {
            final int idx = expression.indexOf("/");
            final int cidr, addrlen;
            final String addressPart;
            final InetAddress addr;
            final byte[] bytes;

            if (idx == -1) {
                cidr = -1;
                addressPart = expression;
            } else {
                final String substring = expression.substring(idx + 1);
                try {
                    cidr = Integer.parseInt(substring);
                    if (cidr < 0)
                        throw new NumberFormatException("CIDR is negative");
                } catch (NumberFormatException ignored) {
                    throw new IllegalArgumentException("provided CIDR mask ("
                                                       + substring + ") is invalid");
                }
                addressPart = expression.substring(0, idx);
            }

            try {
                addr = InetAddress.getByName(addressPart);
            } catch (UnknownHostException e) {
                throw new IllegalArgumentException("provided address ("
                                                   + addressPart + ") is invalid");
            }

            bytes = addr.getAddress();
            addrlen = bytes.length * 8;
            shift = cidr == -1 ? 0 : addrlen - cidr;

            if (shift < 0)
                throw new IllegalArgumentException("CIDR prefix (" + cidr
                                                   + ") is greater than address length (" + addrlen + ")");
            mask = new BigInteger(bytes).shiftRight(shift);
            this.expression = expression;
        }

        /**
         * Test if a given address matches this netmask
         *
         * @param addr The {@link java.net.InetAddress} to test
         * @return true on match, false otherwise
         */
        public boolean matches (final InetAddress addr) {
            final BigInteger provided = new BigInteger(addr.getAddress())
                .shiftRight(shift);

            return mask.equals(provided);
        }

        @Override
            public String toString() {
            return expression;
        }
    }
}

Return to bug 51953

Line 0 Link Here

(-)java/org/apache/catalina/filters/RemoteAddrNetmaskFilter.java (+284 lines)
		1	package org.apache.catalina.filters;
		2
		3	import java.math.BigInteger;
		4	import java.net.InetAddress;
		5	import java.net.UnknownHostException;
		6
		7
		8	import org.apache.catalina.comet.CometEvent;
		9	import org.apache.catalina.comet.CometFilter;
		10	import org.apache.catalina.comet.CometFilterChain;
		11
		12	import javax.servlet.FilterChain;
		13	import javax.servlet.FilterConfig;
		14	import javax.servlet.ServletException;
		15	import javax.servlet.ServletRequest;
		16	import javax.servlet.ServletResponse;
		17	import javax.servlet.http.HttpServletResponse;
		18	import java.io.IOException;
		19	import java.net.InetAddress;
		20	import java.net.UnknownHostException;
		21	import java.util.ArrayList;
		22	import java.util.List;
		23	import org.apache.juli.logging.Log;
		24	import org.apache.juli.logging.LogFactory;
		25
		26	/**
		27	* Implementation of a Filter that performs filtering based on comparing the
		28	* appropriate request property (selected based on which subclass you choose
		29	* to configure into your Container's pipeline) against the regular expressions
		30	* configured for this Filter.
		31	* <p>
		32	* This filter is configured by setting the <code>allow</code> and/or
		33	* <code>deny</code> properties to a regular expressions (in the syntax
		34	* supported by {@link java.util.regex.Pattern}) to which the appropriate request property will
		35	* be compared. Evaluation proceeds as follows:
		36	* <ul>
		37	* <li>The subclass extracts the request property to be filtered, and
		38	* calls the common <code>process()</code> method.
		39	* <li>If there is a deny expression configured, the property will be compared
		40	* to the expression. If a match is found, this request will be rejected
		41	* with a "Forbidden" HTTP response.</li>
		42	* <li>If there is a allow expression configured, the property will be compared
		43	* to the expression. If a match is found, this request will be allowed to
		44	* pass through to the next filter in the current pipeline.</li>
		45	* <li>If a deny expression was specified but no allow expression, allow this
		46	* request to pass through (because none of the deny expressions matched
		47	* it).
		48	* <li>The request will be rejected with a "Forbidden" HTTP response.</li>
		49	* </ul>
		50	*/
		51
		52	public class RemoteAddrNetmaskFilter
		53	extends RequestFilter
		54	{
		55	// ----------------------------------------------------- Instance Variables
		56	private static final Log log = LogFactory.getLog(RemoteAddrFilter.class);
		57
		58	/**
		59	* The matchers used to test for allowed requests.
		60	*/
		61	protected final List<IPMatcher> allow = new ArrayList<IPMatcher>();
		62
		63	/**
		64	* The matchers used to test for denied requests.
65	*/
66	protected final List<IPMatcher> deny = new ArrayList<IPMatcher>();
67
68	// ------------------------------------------------------------- Properties
69
70	// --------------------------------------------------------- Public Methods
71
72	@Override
73	public void init(FilterConfig filterConfig) throws ServletException {
74	super.init(filterConfig);
75
76	final String denies = super.getDeny();
77	for(final String s: denies.split("\\s,\\s"))
78	{
79	try {
80	if(s.contains("/"))
81	deny.add(new NetMaskIPMatcher(s));
82	else
83	deny.add(new StringIPMatcher(s));
84	} catch (IllegalArgumentException e) {
85	// FIXME: log
86	}
87	}
88
89	final String allows = super.getDeny();
90	for(final String s: allows.split("\\s,\\s"))
91	{
92	try {
93	if(s.contains("/"))
94	allow.add(new NetMaskIPMatcher(s));
95	else
96	allow.add(new StringIPMatcher(s));
97	} catch (IllegalArgumentException e) {
98	// FIXME: log
99	}
100	}
101
102	}
103
104	public void doFilter(ServletRequest request,
105	ServletResponse response,
106	FilterChain chain)
107	throws ServletException, IOException
108	{
109	process(request.getRemoteAddr(), request, response, chain);
110	}
111
112	/**
113	* Extract the desired request property, and pass it (along with the comet
114	* event and filter chain) to the protected <code>process()</code> method
115	* to perform the actual filtering.
116	*
117	* @param event The comet event to be processed
118	* @param chain The filter chain for this event
119	*
120	* @exception IOException if an input/output error occurs
121	* @exception ServletException if a servlet error occurs
122	*/
123	@Override
124	public void doFilterEvent(CometEvent event, CometFilterChain chain)
125	throws IOException, ServletException {
126	processCometEvent(event.getHttpServletRequest().getRemoteAddr(),
127	event, chain);
128	}
129
130	// ------------------------------------------------------ Protected Methods
131
132	@Override
133	protected boolean isAllowed(String property) {
134	final InetAddress addr;
135
136	try {
137	addr = InetAddress.getByName(property);
138	} catch (UnknownHostException e) {
139	// FIXME: log
140	return false;
141	}
142
143	for (final IPMatcher m: deny)
144	if (m.matches(addr))
145	return false;
146
147	for (final IPMatcher m: allow)
148	if (m.matches(addr))
149	return true;
150
151	// Allow if denies specified but not allows
152	if (!deny.isEmpty() && allow.isEmpty())
153	return true;
154
155	// Deny this request
156	return false;
157	}
158
159	@Override
160	protected Log getLogger() {
161	return log;
162	}
163
164	private interface IPMatcher
165	{
166	boolean matches(InetAddress address);
167	}
168
169	static class StringIPMatcher
170	implements IPMatcher
171	{
172	private String address;
173
174	public StringIPMatcher(final String address)
175	{
176	this.address = address;
177	}
178
179	public boolean matches(final InetAddress address)
180	{
181	return address.getHostAddress().equals(this.address);
182	}
183	}
184
185
186	/**
187	* A class representing a netmask, which is at the core of this valve.
188	*
189	* <p>The constructor takes a {@link java.lang.String} representing a
190	* CIDR netmask as an argument and extracts two informations from it: the
191	* network address and the CIDR. It then turns the address into a
192	* {@link java.math.BigInteger}, calculates the right shift and shifts that
193	* BigInteger by it.</p>
194	* <p>The process to verify whether an IP address falls within the mask
195	* is to also convert it to a BigInteger, shifting it right and comparing
196	* it to the stored BigInteger.
197	* </p>
198	*/
199	static class NetMaskIPMatcher
200	implements IPMatcher
201	{
202	/**
203	* The argument to the constructor, used for .toString()
204	*/
205	private final String expression;
206
207	/**
208	* The number of bits a matching candidate needs to be shifted right
209	* in order to see if it matches
210	*/
211	private final int shift;
212
213	/**
214	* The network address, already shifted right
215	*/
216	private final BigInteger mask;
217
218	/**
219	* Constructor.
220	*
221	* @param expression the CIDR netmask
222	* @throws IllegalArgumentException if the netmask is not correct
223	* (invalid address specification, malformed CIDR prefix, etc)
224	*/
225	public NetMaskIPMatcher(final String expression) {
226	final int idx = expression.indexOf("/");
227	final int cidr, addrlen;
228	final String addressPart;
229	final InetAddress addr;
230	final byte[] bytes;
231
232	if (idx == -1) {
233	cidr = -1;
234	addressPart = expression;
235	} else {
236	final String substring = expression.substring(idx + 1);
237	try {
238	cidr = Integer.parseInt(substring);
239	if (cidr < 0)
240	throw new NumberFormatException("CIDR is negative");
241	} catch (NumberFormatException ignored) {
242	throw new IllegalArgumentException("provided CIDR mask ("
243	+ substring + ") is invalid");
244	}
245	addressPart = expression.substring(0, idx);
246	}
247
248	try {
249	addr = InetAddress.getByName(addressPart);
250	} catch (UnknownHostException e) {
251	throw new IllegalArgumentException("provided address ("
252	+ addressPart + ") is invalid");
253	}
254
255	bytes = addr.getAddress();
256	addrlen = bytes.length * 8;
257	shift = cidr == -1 ? 0 : addrlen - cidr;
258
259	if (shift < 0)
260	throw new IllegalArgumentException("CIDR prefix (" + cidr
261	+ ") is greater than address length (" + addrlen + ")");
262	mask = new BigInteger(bytes).shiftRight(shift);
263	this.expression = expression;
264	}
265
266	/**
267	* Test if a given address matches this netmask
268	*
269	* @param addr The {@link java.net.InetAddress} to test
270	* @return true on match, false otherwise
271	*/
272	public boolean matches (final InetAddress addr) {
273	final BigInteger provided = new BigInteger(addr.getAddress())
274	.shiftRight(shift);
275
276	return mask.equals(provided);
277	}
278
279	@Override
280	public String toString() {
281	return expression;
282	}
283	}
284	}