You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/10/10 19:09:10 UTC
DO NOT REPLY [Bug 43588] New: - Tomcat uses hardcoded 127.0.0.1 for localhost
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
Summary: Tomcat uses hardcoded 127.0.0.1 for localhost
Product: Tomcat 6
Version: unspecified
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: roman.fiedler@telbiomed.at
Tomcat uses IP 127.0.0.1 when talking to localhost. This will be correct in most
cases but will not work on special setups, e.g. linux vserver guests where
127.0.0.1 is the host machine, the guest machine "localhost IP" can be any other
(e.g. 127.0.0.2 or 10.0.0.1). Though unusual, such configuration seems to be ok
according to the IP RFCs.
The problem is that tomcat ignores this possibility and does not ask the OS for
the localhost IP via getAddressByName("localhost"), it uses a hardcoded
127.0.0.1, e.g.
./java/org/apache/catalina/startup/Catalina.java: Socket socket = new
Socket("127.0.0.1", server.getPort());
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From fhanik@apache.org 2007-10-24 12:13 -------
I think this patch is invalid,
for the end points, if I bind to an interface, then I can't unlock the accept by
doing ("localhost",port), since the port wont be bound to localhost at all.
granted, that the problem I'm describing is already existing, and not related to
the localhost bug
Filip
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From paul.shemansky@gmail.com 2007-10-31 05:15 -------
(In reply to comment #6)
> Can we change the patch?
> See comment at STATUS File:
> -1: funkman InetAddress.getLocalHost() != localhost - it should be
> InetAddress.getByName("localhost").getHostAddress()
I will not claim to be an expert in IPv4 or IPv6. Granted, after tracing the
actual InetAddress source code for both getLocalHost() and getByName(), I
believe the original patch should stay, keeping getLocalHost(). If anyone
disagrees with my choice, and feels that getByName("localhost") is better, I
would have to further recommend that we use : getAllByName("localhost")[0],
which is a shortcut to the new proposal. If I am completely incorrect, I
apologize - please correct me in a separate email so that I have a better
understanding.
New Choices/My Votes :
1.) +1 - Keep : InetAddress.getLocalHost() and apply current proposed patch
2.) -1 - Change to new proposal : InetAddress.getByName("localhost")
3.) +1? - Change to new proposal 'shortcut' :
InetAddress.getAllByName("localhost")[0]
(In reply to comment #4)
> ignore my previous comment, I'm a retard, didn't look into it enough
Filip, did you get the same results I did? Why did you agree with me?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From fhanik@apache.org 2007-10-24 12:14 -------
ignore my previous comment, I'm a retard, didn't look into it enough
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From funkman@joedog.org 2007-10-31 05:27 -------
InetAddress.getLocalHost().getHostAddress() does not necessarily return
localhost - it (can and usually) returns the IP address that other folks can
see.
This means that the shutdown listener by default would listen on a publicly
addressable location - which means now ANYONE by default can shutdown tomcat
instead of someone who has access to the machine.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From paul.shemansky@gmail.com 2007-10-31 08:18 -------
(In reply to comment #8)
Okay, I can see how that can definitely a problem.
However, by using getByName("localhost") OR getAllByName("localhost")[0], the
java.net API, seems to automatically use the "common" loopback address of
127.0.0.1, completely ignoring the system configuration. This brings us back to
the original bug post which involves not being able to use any customized IP for
the "localhost" (i.e. 127.0.0.2 or 10.0.0.1).
Should we instead be looking to separate the shutdown listener somehow?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From fhanik@apache.org 2007-11-01 08:48 -------
(In reply to comment #8)
> InetAddress.getLocalHost().getHostAddress() does not necessarily return
> localhost - it (can and usually) returns the IP address that other folks can
> see.
>
> This means that the shutdown listener by default would listen on a publicly
> addressable location - which means now ANYONE by default can shutdown tomcat
> instead of someone who has access to the machine.
>
For all the connectors:
The correct way is doing InetAddress.getLocalHost().getHostAddress()
we are not trying to get the IP of "localhost" here, we are trying to just get
one of the interfaces that Tomcat listens to so that we can release the accept
thread.
What I would suggest, use InetAddress.getLocalHost().getHostAddress() wherever
we need to access a port that is listening on 0.0.0.0, and file a separate
bugzilla item for the other locations
Filip
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
funkman@joedog.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From funkman@joedog.org 2007-12-26 18:18 -------
This was fixed with
http://svn.apache.org/viewvc?view=rev&revision=596761
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From marcel.may.tomcat@metacube.net 2007-12-21 10:14 -------
Proposed solution for StandardServer.java:
Keep 127.0.0.1 as a default and enable an override 'address' field for a
different default ip address. So that you can set the shutdown ip address like
for the other connectors etc. in the server.xml. This is a very flexible and
consistent way to configure the shutdown ip address.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
paul.shemansky@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #20989|0 |1
is obsolete| |
------- Additional Comments From paul.shemansky@gmail.com 2007-10-24 08:58 -------
Created an attachment (id=21036)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=21036&action=view)
Revised patch. Please review / vote.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From paul.shemansky@gmail.com 2007-10-16 05:00 -------
Created an attachment (id=20989)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20989&action=view)
This patch changes hardcoded references of 127.0.0.1
Please review this patch, and ensure that there are no errors or potential
regression issues. Apply accordingly.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From lgalfaso@gmail.com 2007-10-31 19:05 -------
(In reply to comment #9)
Instead of doing a refactor, and if no solution is best, why not just add a new
property "org.apache.tomcat.localhost.ip" that defaults to "127.0.0.1" that
whoever starts tomcat is able to override?
Not an automagic solution, but will address the original issue and will not
create any new security issues
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
fhanik@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #21036|0 |1
is obsolete| |
------- Additional Comments From fhanik@apache.org 2007-10-24 12:21 -------
Created an attachment (id=21039)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=21039&action=view)
Incl. Nio
Added NIO connector to patch
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From paul.shemansky@gmail.com 2007-11-01 04:46 -------
(In reply to comment #10)
> (In reply to comment #9)
> Instead of doing a refactor, and if no solution is best, why not just add a new
> property "org.apache.tomcat.localhost.ip" that defaults to "127.0.0.1" that
> whoever starts tomcat is able to override?
> Not an automagic solution, but will address the original issue and will not
> create any new security issues
+1 - That still requires slight refactoring, but it sounds like a worthy idea to
me. ;)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43588] - Tomcat uses hardcoded 127.0.0.1 for localhost
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43588>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43588
------- Additional Comments From pr@objektpark.de 2007-10-29 23:18 -------
Can we change the patch?
See comment at STATUS File:
-1: funkman InetAddress.getLocalHost() != localhost - it should be
InetAddress.getByName("localhost").getHostAddress()
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org