Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 322374

Summary: [Webapp][Security] Setting sys prop -Dserver_host=127.0.0.1 does NOT force webserver to listen only on 127.0.0.1 interface
Product: [Eclipse Project] Platform Reporter: rahulk
Component: User AssistanceAssignee: Chris Goldthorpe <cgold>
Status: VERIFIED FIXED QA Contact:
Severity: major    
Priority: P3 CC: cgold, kleind, mukund, raji, simon_kaegi
Version: 3.2Flags: simon_kaegi: review+
Target Milestone: 3.6.1   
Hardware: PC   
OS: All   
Whiteboard:
Attachments:
Description Flags
Patch none

Description rahulk CLA 2010-08-11 10:52:30 EDT 
Build Identifier: Eclipse 3.2, 3.3, 3.4, 3.6

The Eclipse Help subsystem provides a set of properties which can be used to configure the host address and port for the underlying web server (Tomcat in Eclipse 3.2/3.3, Jetty in Eclipse 3.4 & above). The properties are:

'server_host' to configure the address
'server_port' to configure the port

However, I have noticed that inspite of setting -Dserver_host=127.0.0.1 the webserver still listens on all interfaces. i.e when I run the netstat command I see the following entries in the output...

0:0:0:0:<port>

which means the webserver is available to receive requests on all adapters (basically every IP provided by the machine) on the specified port. So, basically if machine had an IP of 192.57.68.134 then the machine would respond to a request directed at 192.57.68.134:8888 even though we don't want it to. This is a major security risk for customers who want to lock down their machines to local access only. A firewall can be configured to block all incoming requests from external machines but then again we can't rely on customers to always have firewalls installed and configured to the appropriate level.

NOTE: Problem may not be in the Eclipse Help subsystem itself... there could be another component in the default Eclipse SDK install that is configuring a server instance. Difficult to tell. 

Reproducible: Always

Steps to Reproduce:
1. Set -Dserver_host=127.0.0.1 & -Dserver_port=8888 in eclipse.ini
2. Launch Eclipse SDK (3.2, 3.3, 3.4, 3.5, 3.6)
3. Launch Eclipse Help
4. Open command terminal, type 'netstat -an'
5. Notice entries for 127.0.0.1:8888 and 0:0:0:0:8888. Expect to see only 127.0.0.1:8888.
Comment 1 Chris Goldthorpe CLA 2010-08-11 18:43:23 EDT 
server_host only changes the URL which is used when opening help pages from the workbench. It is however a problem that the help server in workbench mode allows any client to connect to it. The default mode of starting the help server should only allow local connections.
Comment 2 Chris Goldthorpe CLA 2010-08-16 14:23:28 EDT 
I checked with Simon Kaegi and it is possible to prevent access from remote clients by setting the Jetty configuration parameter "http.host" to "127.0.0.1". I tested this and it does work - I was only able to access the help system from 127.0.0.1 and from localhost after I set this parameter. If I used the ip address of my machine, www.xxx.yyy.zzz I was not able to open the help system using www.xxx.yyy.zzz:port/help/index.jsp either from a remote machine or from the machine on which the help system was hosted. Setting http.host to "localhost" has the same effect.

The most obvious way to fix this for 3.6.1 would be for the help system to use the value of the server_host property as the value of http.host when configuring Jetty. The main advantage of this approach is that it only affects users who set the server_host property, thus reducing risk. The main disadvantage is that most users will get no benefit from this patch because they are not setting that property.

Are there any other risks we need to be aware of?

For 3.7 and beyond I am wondering if we want to make the default mode for workbench help to be to set http.host to localhost.
Comment 3 Chris Goldthorpe CLA 2010-08-16 16:34:16 EDT 
Created attachment 176730 [details]
Patch

This patch checks to see if server_host has been defined and if so uses that as the http.host value when starting Jetty. I believe that this is unlikely to have negative side effects since it only affects users who have set the server_host. There was consideration of not setting http.host when in infocenter mode but I do not think that infocenter owners would ever set server_host, if they did the workaround would be to stop setting that value.
Comment 4 Chris Goldthorpe CLA 2010-08-16 16:35:33 EDT 
Simon, can you review this patch for inclusion in 3.6.1? Can you think of any risk associated with this fix?
Comment 5 Simon Kaegi CLA 2010-08-16 17:17:11 EDT 
Looks good and I think it's fine for 3.6.1 so long as we do not change default behaviour.
Comment 6 Chris Goldthorpe CLA 2010-08-16 17:48:01 EDT 
Patch committed to HEAD.
Comment 7 Chris Goldthorpe CLA 2010-08-16 17:55:23 EDT 
Patch committed to 3.6 maintenance stream, Fixed
Comment 8 Chris Goldthorpe CLA 2010-08-18 19:06:53 EDT 
The patch has also been applied to the 3.5 maintenance stream
Comment 9 Chris Goldthorpe CLA 2010-08-19 00:54:26 EDT 
The patch has been backported and applied to the 3.4 maintenance stream.
Comment 10 Chris Goldthorpe CLA 2010-09-01 17:27:12 EDT 
Verified in M20100901-0800