You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Pier Fumagalli <pi...@betaversion.org> on 2001/10/24 01:56:03 UTC

Port=0, binding in Random...

Anytime we construct a ServerSocket in Tomcat, we shouldn't allow the value
"0" to be passed to the ServerSocket constructor, as that will bind down to
a random port number... (and we don't want to open random ports on the
server, don't we?)

For TC40, I believe the fix is pretty easy, in ServerSocketFactory... I
don't know if TC3x is affected...

Thanks to Tal for noticing...

    Pier

RE: Port=0, binding in Random...

Posted by Tal Dayan <ta...@zapta.com>.

I proposed not to consider port 0 as a fatal error that will abort Tomcat
but simply to ignore
it and not to bind to any shutdown port at all.

In our deployment we are not using the shutdown port, so having to have an
unused 'shutdown' port open is just an invitation for problems (security
wise).

Thanks,

Tal

> -----Original Message-----
> From: Pier Fumagalli [mailto:pier@betaversion.org]
> Sent: Tuesday, October 23, 2001 4:56 PM
> To: Tal Dayan; tomcat dev jakarta.apache.org
> Subject: Port=0, binding in Random...
>
>
> Anytime we construct a ServerSocket in Tomcat, we shouldn't allow
> the value
> "0" to be passed to the ServerSocket constructor, as that will
> bind down to
> a random port number... (and we don't want to open random ports on the
> server, don't we?)
>
> For TC40, I believe the fix is pretty easy, in ServerSocketFactory... I
> don't know if TC3x is affected...
>
> Thanks to Tal for noticing...
>
>     Pier
>