Bug 57926 – RemoteIpValve: resetting the RemoteAddr, but not the X-Forwarded-For Header causes information loss

Bug 57926 - RemoteIpValve: resetting the RemoteAddr, but not the X-Forwarded-For Header causes information loss


Summary:	RemoteIpValve: resetting the RemoteAddr, but not the X-Forwarded-For Header c...

Status:	RESOLVED FIXED

Product:	Tomcat 8
Classification:	Unclassified
Component:	Catalina
Version:	8.0.22
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	----
Assigned To:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree

Reported:	2015-05-13 16:13 UTC by Benjamin Gehrels
Modified:	2015-05-18 13:57 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benjamin Gehrels 2015-05-13 16:13:58 UTC

After processing the request, the RemoteIPValve resets the RemoteAddr to its original value. The Header Fields X-Forwarded-By and X-Forwarded-For, that may have also been changed will not be reset to their original values.

This leads to an inconsistent state of the request after processing:
Before:
RemoteAddr: 192.168.1.1
X-Forwarded-For: 88.77.66.55

After:
RemoteAddr: 192.168.1.1
X-Forwarded-For: null

So, the information that is probably most valuable to me is now neither in the RemoteAddr, nor in the X-Forwarded-For header. This may cause problems, because Access Logging is done after request processing. Depending on your logging config, the True Client IP will be completly lost from the logs.

A workaround may be to set requestAttributesEnabled=true and log those attributes.

Comment 1 Mark Thomas 2015-05-18 13:57:46 UTC

Fixed in trunk for 9.0.x and in 8.0.x for 8.0.23 onwards.