[Bug 63851] New: Response's "Location" header must not disclose internal IPs

bugzilla Tue, 15 Oct 2019 06:16:15 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63851


            Bug ID: 63851
           Summary: Response's "Location" header must not disclose
                    internal IPs
           Product: Tomcat 8
           Version: 8.5.14
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: hau...@acm.org
  Target Milestone: ----

if you have an internal network and in server.xml

<Connector port ...
address="173.24.10.222"

when you send a redirect with a relative URL such as

  response.sendRedirect("/index.jsp");

the 
  "https://173.24.10.222:6443/index.jsp";
is given back in the Location header which is considered useful "discovery" for
unfriendly counterparts...

==> for these cases, maybe in 
 
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Standard_Implementation
  it should be possible to add a

  "addressExternal" value ?

see also: bug 54367

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63851] New: Response's "Location" header must not disclose internal IPs

Reply via email to