tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 13172] - Port incorrect in getServerPort and in access log
Date Fri, 30 May 2003 18:56:35 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13172>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13172

Port incorrect in getServerPort and in access log





------- Additional Comments From eric.havens@ericsson.com  2003-05-30 18:56 -------
It seems that the getServerPort() method returns the port as specified in the 
Host header of the received message, not the port of the connector through 
which the request arrived.

This seems to be a huge security issue. I am currently using a filter in my 
code to verify that a request arrived on a particular port (for security 
reasons) and am actually only verifying that the Host header says it came in on 
the port. It would be trivial for a client to spoof my code if I were to rely 
on the getServerPort() method as implemented.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message