DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=37859>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37859 Summary: getServerPort() not reliable Product: Tomcat 5 Version: 5.5.9 Platform: Other URL: http://java.sun.com/products/servlet/2.3/javadoc/javax/s ervlet/ServletRequest.html#getServerPort() OS/Version: other Status: NEW Severity: major Priority: P2 Component: Connector:Coyote AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] If a browser sends a mistaken port number as per org.apache.coyote.http11.Http11Processor.parseHost(MessageBytes valueMB) this will overwrite the true host port. Not that relying on the local server host as an access control is a particularly recommendable access control approach, but still, firewalls ought to block ports coming from the outside while other processes from within a DMZ should be able to connect to such ports. So, an outside host might be able to fake being an insider in the view of a web application programmer? I doubt that the specs intended it to behave this way. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]