> -----Mensaje original----- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Enviado el: 30 de agosto de 2002 19:54 > Para: Tomcat Developers List > Asunto: RE: Spec question: RE BUG 12052 >
> > > It may very well be a security issue ( and quite a big one ! > ). There are > sites using all kinds of firewalls and settings in httpd.conf to > restrict access to some hosts or ports ( say from internal network ). > If Host: info is used for security checkings - it would be trivial to > bypass some of this security. > > In particular - people may have servlets that check getServerName() to > find if 'localhost' was used - the spec change will leave them with > a huge hole ( any request with forged Host: localhost will pass ). > > Good Comment.. In the particular case you have pointed, it's a user problem, a request with Host: Localhost can be only be issued by someone with Remote Ip=localhost.. So one can take some security measures to check the correctness of the request.. All other use case i can imagine fall within the users problems, if the correct VS has received the request, it's the Remote IP appropiate for that VS? matchs port where the request has been received the port where is suppoussed that the VS is? But By far in the Journey we have learned something, never trust a Host Header without first trust the Remote IP, at least for ultra-secure apps.. And another thing, i wonder if it would be appropiate to check if a request came from the (at least) correct port before dispatching it to the VS.. at least within TC, and check if Apache2 is taking any measures to be certain of this fact.. Saludos , Ignacio J. Ortega -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>