sslext doesn't support IPv6 / doesn't handle it correctly
Brought to you by:
ditling
Menu
▾
▴
1 Attachments
#3 sslext doesn't support IPv6 / doesn't handle it correctly
open
nobody
1
2013-07-12
2013-07-12
No
Hello everyone, :)
we use your library in our project together with Struts 1.2.8 and Jetty 5.1.11. As our product should support IPv6 I came across a problem with that constellation: The SecureFormTag replaced the action property of the <form> tag not in the correct manner.
IPv4 Example:
Web Server IP: 192.168.1.111
Action: LoginAction
Path: /LoginAction
Expected: https://192.168.1.111/Login.xml;jsessionid=4a4tf4ulhsmm
Actually: https://192.168.1.111/Login.xml;jsessionid=4a4tf4ulhsmm
IPv6 Example:
Web Server IP: fd01:0:0:1::4443
Action: LoginAction
Path: /LoginAction
Expected: https://[fd01:0:0:1::4443]/Login.xml;jsessionid=4a4tf4ulhsmm
Actually: https://[fd01:0:0:1:4443/Login.xml;jsessionid=4a4tf4ulhsmm
After analysing this for some time I found out that the Jetty 5 has a bug in the HttpServletRequest implementation: The HttpServletRequest#getServerName() method splits the server name / IP address and the port on which the request was received by simply look for the last semicolon if available. And in this IPv6 URL is a semicolon (there are even a few), but unfortunately none of them separates a port. Nevertheless it is treated like that so we get a server name [fd01:0:0:1 and a port 4443.
I solves this problem by switching to Jetty 9.0.4. But I had to realise that there is a also a bug in your library in aspect of handling IPv6 addresses:
IPv6 Example using Jetty 9:
Web Server IP: fd01:0:0:1::4443
Action: LoginAction
Path: /LoginAction
Expected: https://[fd01:0:0:1::4443]/Login.xml;jsessionid=4a4tf4ulhsmm
Actually: https://fd01:0:0:1:4443/Login.xml;jsessionid=4a4tf4ulhsmm
The server name is now correctly reported by the HttpServletRequest#getServerName() method of Jetty 9. But your library doesn't surround IPv6 addresses with square brackets. This can be easily solved by adding the following lines to org/apache/struts/util/SecureRequestUtils.java in at line 277:
// IPv6 support
if (serverName.indexOf(':') >= 0)
serverName = '[' + serverName + ']';
I also attached a patch file. Hope it worked as I never created one before.