To whom it may concern,
On 11/23/22 14:31, tommydu1...@outlook.com wrote:
Hi there,
Product:<https://bz.apache.org/bugzilla/describecomponents.cgi>
>
> [snip]
The default behaviour of http connector is listenning all interfaces.
False.
It is found in the description of "address" in attributes section.
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)
It's listed in another section, and does not say all interfaces.
In terms of security default, it could be not best practice. In case of
unexpected mistakes made by people, default behaviour of exposing the server to
every possible network may pose a potential threat on security.
Good thing Tomcat does not default to that configuration.
CWE-1327: Binding to an Unrestricted IP Address:
https://cwe.mitre.org/data/definitions/1327.html
The issue should be a security enhancement. I recommend changing default
behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and
adding configuration option with default value OFF for 0.0.0.0 or : :.
Sounds great. So what exactly needs to be changed? You want us to pick
only IPv4 or IPv6?
If not, what you describe is exactly the default configuration that you
will get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
