https://bz.apache.org/bugzilla/show_bug.cgi?id=62132
Bug ID: 62132
Summary: No reliable way to know if the request emerged from
localhost
Product: Tomcat 7
Version: 7.0.82
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
We have a requirement such that admins(tomcat users) need to login remotely to
the machine where Tomcat is hosted and access tomcat webapp to perform certain
action or see certain pages . These pages or actions are not permitted if users
login remotely
Initially thought request.getRemoteAddr can be used determine actual client ip
is local or not but looks like based X-Forwarded-For header it is easay to
spoof request.getRemoteAddr . The spoofing is possible even from trusted
internal proxies
So thought request.getServerName is reliable than request.getRemoteAddr
But HOST header can be spoofed to reflect request.getServerName
Strangely Tomcat honors HOST header to update request. getServerName .
I strongly feel this is a tomcat issue or let us know how can we reliably
determine if the request is originated from local or this is something not
possible
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
