fix(tomcat): Regex escaping error in RemoteIpValve internalProxies + missing CGNAT

[yolabingo]

Problem Statement

The default CMS_REMOTEIP_INTERNALPROXIES regex in setenv.sh uses double-backslash escaping (\\) inside double-quoted strings. This produces an incorrect regex pattern that fails to match internal proxy IP addresses, causing RemoteIpValve to not trust proxies and not properly resolve client IPs from X-Forwarded-For headers.

Additionally, the regex does not cover 100.64.0.0/10 (CGNAT, RFC 6598), commonly used by cloud load balancers and Kubernetes overlay networks. Tomcat 10.1+ includes this range by default.

File: dotCMS/src/main/resources/container/tomcat9/bin/setenv.sh:102

Current (broken):

export CMS_REMOTEIP_INTERNALPROXIES=${CMS_REMOTEIP_INTERNALPROXIES:-"10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} |192\\.168\\.\\d{1,3}\\.\\d{1,3}|..."}

The \\ escaping is incorrect — should be single \.

Steps to Reproduce

1. Deploy dotCMS without setting CMS_REMOTEIP_INTERNALPROXIES env var
2. Send request through an internal proxy (e.g., 10.x.x.x, 192.168.x.x)
3. Observe X-Forwarded-For header is not resolved — client IP shows proxy IP instead of real client IP
4. Requests from CGNAT range (100.64.x.x) are never trusted regardless of escaping fix

Acceptance Criteria

• Fix \\ double-backslash escaping to single \ in CMS_REMOTEIP_INTERNALPROXIES default regex in setenv.sh
• Add 100.64.0.0/10 (CGNAT / RFC 6598) to internal proxies regex
• RemoteIpValve correctly matches RFC 1918, CGNAT, loopback, and link-local addresses as internal proxies
• X-Forwarded-For header properly resolved when request traverses internal proxy

dotCMS Version

All versions (evergreen) — present since the regex was added to setenv.sh

Severity

Medium - Some functionality impacted

Links

https://helpdesk.dotcms.com/a/tickets/37123

https://dotcms.slack.com/archives/C06TM536N9J/p1779411185740119?thread_ts=1779390915.869349&cid=C06TM536N9J