Bug 57926 - RemoteIpValve: resetting the RemoteAddr, but not the X-Forwarded-For Header causes information loss
Summary: RemoteIpValve: resetting the RemoteAddr, but not the X-Forwarded-For Header c...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.22
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-13 16:13 UTC by Benjamin Gehrels
Modified: 2015-05-18 13:57 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Benjamin Gehrels 2015-05-13 16:13:58 UTC
After processing the request, the RemoteIPValve resets the RemoteAddr to its original value. The Header Fields X-Forwarded-By and X-Forwarded-For, that may have also been changed will not be reset to their original values.

This leads to an inconsistent state of the request after processing:
Before:
RemoteAddr: 192.168.1.1
X-Forwarded-For: 88.77.66.55

After:
RemoteAddr: 192.168.1.1
X-Forwarded-For: null

So, the information that is probably most valuable to me is now neither in the RemoteAddr, nor in the X-Forwarded-For header. This may cause problems, because Access Logging is done after request processing. Depending on your logging config, the True Client IP will be completly lost from the logs.

A workaround may be to set requestAttributesEnabled=true and log those attributes.
Comment 1 Mark Thomas 2015-05-18 13:57:46 UTC
Fixed in trunk for 9.0.x and in 8.0.x for 8.0.23 onwards.