Do not try to resolve X-Forwarded-For header

papegaaij · papegaaij · commit 84f62a5cff46 · 2021-03-05T13:28:15.000+01:00
The remote address is reported by HttpServletRequest. Configuration of
this property is normally done via the application server. If this is
somehow not possible, use XForwardedRequestWrapperFactory.
diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/request/WebClientInfo.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/request/WebClientInfo.java
@@ -140,48 +140,16 @@ private String getUserAgentStringLc()
 	}
 
 	/**
-	 * When using ProxyPass, requestCycle().getHttpServletRequest(). getRemoteAddr() returns the IP
-	 * of the machine forwarding the request. In order to maintain the clients ip address, the
-	 * server places it in the <a
-	 * href="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers">X-Forwarded-For</a>
-	 * Header.
-	 *
-	 * Proxies may also mask the original client IP with tokens like "hidden" or "unknown".
-	 * If so, the last proxy ip address is returned.
+	 * Returns the IP address from {@code HttpServletRequest.getRemoteAddr()}.
 	 *
 	 * @param requestCycle
 	 *            the request cycle
-	 * @return remoteAddr IP address of the client, using the X-Forwarded-For header and defaulting
-	 *         to: getHttpServletRequest().getRemoteAddr()
+	 * @return remoteAddr IP address of the client, using
+	 *         {@code getHttpServletRequest().getRemoteAddr()}
 	 */
 	protected String getRemoteAddr(RequestCycle requestCycle)
 	{
 		ServletWebRequest request = (ServletWebRequest)requestCycle.getRequest();
-		HttpServletRequest req = request.getContainerRequest();
-		String remoteAddr = request.getHeader("X-Forwarded-For");
-
-		if (remoteAddr != null)
-		{
-			if (remoteAddr.contains(","))
-			{
-				// sometimes the header is of form client ip,proxy 1 ip,proxy 2 ip,...,proxy n ip,
-				// we just want the client
-				remoteAddr = Strings.split(remoteAddr, ',')[0].trim();
-			}
-			try
-			{
-				// If ip4/6 address string handed over, simply does pattern validation.
-				InetAddress.getByName(remoteAddr);
-			}
-			catch (UnknownHostException e)
-			{
-				remoteAddr = req.getRemoteAddr();
-			}
-		}
-		else
-		{
-			remoteAddr = req.getRemoteAddr();
-		}
-		return remoteAddr;
+		return request.getContainerRequest().getRemoteAddr();
 	}
 }
