-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin,
On 11/6/12 2:03 PM, Konstantin Kolinko wrote: > 2012/11/3 Christopher Schultz <ch...@christopherschultz.net>: >> >> I was looking at the Javadoc for RemoteIpValve's internalProxies >> attribute and I saw this comment: >> >> " 172.16/12 has not been enabled by default because it is complex >> to describe with regular expressions. " >> >> I'm not sure that is true. This regex ought to do it: >> >> 172\.(1[6-9]|2(5[0-5]|[6-9])|[3-9][0-9])\.\d+\.\d+ >> >> Any takers? >> > > That "2(5".. part is strange and wrong. What you are trying to do > with it? Allow .25x. but not .26x (as that would be >8 bits). > According to Wikipedia [1], the range is 172.16.0.0 - > 172.31.255.255 Oddly enough, I used a python script I found online to convert 172.16.0.0/12 into a regular expression and it produced: ^172\.2\d|1[6-9]|3[01]\.\d+\.\d+$ That didn't seem right to me at the time: my netmask math was failing me, evidently. > So maybe 172\.(1[6-9])|(2\d)|(3[01])\.\d\d?\d?\.\d\d?\d? > > That will be 16-19, 20-29, 30-31 for the second byte. > > (I'd be better to have some unit tests, to be sure). I'm not sure how stringent we want our regexes to be, but \d\d\d is a bit lenient. Since these IP addresses are coming-in as strings from HTTP headers and not as 4-byte values, is it a good idea to permit insane IPv4 addresses like 123.456.789.888? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCZaJ8ACgkQ9CaO5/Lv0PCmQQCfcOoCi5MubVGKyV3dhtVbmx2H 3S8AoKBK2CXWGA8TFiNS3cNDG2GEvw2+ =cPjy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
