On Fri, 17 Sep 2021 14:11:38 GMT, Julia Boes <jb...@openjdk.org> wrote:
> Thanks for sharing your experience on this, it's appreciated. 0.0.0.0 is > common default for Apache httpd [1], Ngnix [2], the Python web server [3]. > This being said, I want to make sure we're taking the right decision here so > let me seek some further advice on this. > > [1] http://httpd.apache.org/docs/2.4/bind.html > [2] https://docs.nginx.com/nginx/admin-guide/web-server/web-server/ > [3] https://github.com/python/cpython/blob/3.4/Lib/http/server.py Further review concluded that a default binding to 0.0.0.0 creates too a high level of exposure, particularly for a low-threshold utility like this server. Binding to an unrestricted address is a known way for attackers to launch a Denial-of-Service attack, classified by MITRE as CWE-1327 [1]. We therefore update the default binding to the loopback address and amend the help output with information on how to bind to 0.0.0.0, e.g.: $ java -m jdk.httpserver -h Usage: java -m jdk.httpserver [-b bind address] [-p port] [-d directory] [-o none|info|verbose] [-h to show options] Options: -b, --bind-address - Address to bind to. Default: 127.0.0.1 (loopback). For 0.0.0.0 (all interfaces) use -b 0.0.0.0 or -b ::0. -d, --directory - Directory to serve. Default: current directory. -o, --output - Output format. none|info|verbose. Default: info. -p, --port - Port to listen on. Default: 8000. -h, -?, --help - Print this help message. To stop the server, press Ctrl + C. ``` Thanks again for flagging this, @jaikiran . [1] https://cwe.mitre.org/data/definitions/1327.html ------------- PR: https://git.openjdk.java.net/jdk/pull/5505
