Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1964

IPAddressAccessControlHandler stops working when ProxyPeerAddressHandler is enabled and X-Forwarded-For request header contains multiple IP addresses

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 2.2.13.Final, 2.0.42.Final
    • 2.0.39.Final, 2.2.10.Final
    • Core
    • None

    Description

      IPAddressAccessControlHandler stops working when ProxyPeerAddressHandler is enabled and the X-Forwarded-For request header contains multiple IP addresses.

      This issue happens because ProxyPeerAddressHandler creates an unresolved InetSocketAddress and sets it to HttpServerExchange#setSourceAddress() when the X-Forwarded-For request header contains multiple IP addresses. As InetSocketAddress#getAddress() returns null if it is unresolved, exchange.getSourceAddress().getAddress() returns null, so it causes IPAddressAccessControlHandler stop working.

      This issue is similar to UNDERTOW-1296, but this happens only when the X-Forwarded-For request header contains multiple IP addresses. It looks like a bug in the fixed code for UNDERTOW-1296.

      As the syntax of X-Forwarded-For is

      X-Forwarded-For: <client>, <proxy1>, <proxy2>

      ProxyPeerAddressHandler basically should check the first entry of the X-Forwarded-For request header.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1801 ProxyPeerAddressHandler incorrectly parses X_FORWARDED_FOR headers

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22460 [GSS](7.4.z) UNDERTOW-1964 - IPAddressAccessControlHandler (ip-access-control) stops working when ProxyPeerAddressHandler (proxy-address-forwarding="true") is enabled on listener and the X-Forwarded-For request header contains multiple IP addresses

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22459 [GSS](7.3.z) UNDERTOW-1964 - IPAddressAccessControlHandler (ip-access-control) stops working when ProxyPeerAddressHandler (proxy-address-forwarding="true") is enabled on listener and the X-Forwarded-For request header contains multiple IP addresses

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-1965 Initialize ProxyHandler with enabling "setReuseXForwarded(true)" inside DefaultServer for X-Forwarded-* header related unit tests

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              flaviarnn Flavia Rainone
              rhn-support-mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: