41 messages in org.apache.tomcat.devRE: Spec question: RE BUG 12052| From | Sent On | Attachments |
|---|---|---|
| Bojan Smojver | Aug 28, 2002 6:26 am | |
| Craig R. McClanahan | Aug 28, 2002 9:14 am | |
| John Trollinger | Aug 28, 2002 9:18 am | |
| Craig R. McClanahan | Aug 28, 2002 9:41 am | |
| cost...@covalent.net | Aug 28, 2002 10:03 am | |
| John Trollinger | Aug 28, 2002 10:21 am | |
| Costin Manolache | Aug 28, 2002 10:35 am | |
| Craig R. McClanahan | Aug 28, 2002 10:54 am | |
| Craig R. McClanahan | Aug 28, 2002 10:59 am | |
| Ignacio J. Ortega | Aug 28, 2002 11:24 am | |
| Ryan Lubke | Aug 28, 2002 11:28 am | |
| Bill Barker | Aug 28, 2002 11:28 am | |
| cost...@covalent.net | Aug 28, 2002 12:52 pm | |
| Costin Manolache | Aug 28, 2002 1:52 pm | |
| Costin Manolache | Aug 28, 2002 1:54 pm | |
| Ignacio J. Ortega | Aug 28, 2002 2:05 pm | |
| Ryan Lubke | Aug 28, 2002 3:52 pm | |
| cost...@covalent.net | Aug 28, 2002 4:11 pm | |
| Bojan Smojver | Aug 28, 2002 4:22 pm | |
| Bojan Smojver | Aug 28, 2002 4:45 pm | |
| cost...@covalent.net | Aug 28, 2002 5:01 pm | |
| Bill Barker | Aug 28, 2002 5:43 pm | |
| cost...@covalent.net | Aug 28, 2002 7:11 pm | |
| Bojan Smojver | Aug 28, 2002 8:22 pm | |
| Bojan Smojver | Aug 28, 2002 11:45 pm | |
| Bill Barker | Aug 29, 2002 12:24 am | |
| Ignacio J. Ortega | Aug 29, 2002 6:48 am | |
| cost...@covalent.net | Aug 29, 2002 7:29 am | |
| Craig R. McClanahan | Aug 29, 2002 8:12 am | |
| Ryan Lubke | Aug 29, 2002 9:01 am | |
| Costin Manolache | Aug 29, 2002 9:56 am | |
| Bojan Smojver | Aug 29, 2002 4:10 pm | |
| Ignacio J. Ortega | Aug 30, 2002 6:50 am | |
| cost...@covalent.net | Aug 30, 2002 7:53 am | |
| Ignacio J. Ortega | Aug 30, 2002 10:14 am | |
| cost...@covalent.net | Aug 30, 2002 10:53 am | |
| Ignacio J. Ortega | Aug 30, 2002 11:26 am | |
| cost...@covalent.net | Aug 30, 2002 11:49 am | |
| Steve Downey | Aug 30, 2002 1:27 pm | |
| Ignacio J. Ortega | Aug 30, 2002 1:46 pm | |
| Bojan Smojver | Aug 30, 2002 5:55 pm |
| Subject: | RE: Spec question: RE BUG 12052 | |
|---|---|---|
| From: | Ignacio J. Ortega (nac...@siapi.es) | |
| Date: | Aug 30, 2002 11:26:05 am | |
| List: | org.apache.tomcat.dev | |
-----Mensaje original----- De: cost...@covalent.net [mailto:cost...@covalent.net] Enviado el: 30 de agosto de 2002 19:54 Para: Tomcat Developers List Asunto: RE: Spec question: RE BUG 12052
It may very well be a security issue ( and quite a big one ! ). There are sites using all kinds of firewalls and settings in httpd.conf to restrict access to some hosts or ports ( say from internal network ). If Host: info is used for security checkings - it would be trivial to bypass some of this security.
In particular - people may have servlets that check getServerName() to find if 'localhost' was used - the spec change will leave them with a huge hole ( any request with forged Host: localhost will pass ).
Good Comment..
In the particular case you have pointed, it's a user problem, a request with Host: Localhost can be only be issued by someone with Remote Ip=localhost..
So one can take some security measures to check the correctness of the request..
All other use case i can imagine fall within the users problems, if the correct VS has received the request, it's the Remote IP appropiate for that VS? matchs port where the request has been received the port where is suppoussed that the VS is?
But By far in the Journey we have learned something, never trust a Host Header without first trust the Remote IP, at least for ultra-secure apps..
And another thing, i wonder if it would be appropiate to check if a request came from the (at least) correct port before dispatching it to the VS.. at least within TC, and check if Apache2 is taking any measures to be certain of this fact..
Saludos , Ignacio J. Ortega