<!DOCTYPE html> <html lang="en"> <head> <title>66429 &ndash; Limit access to Examples and Documentation by localhost only</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link href="data/assets/d2dc72eaec8a65ba2f1cc98ad8a98a4d.css?1725743963" rel="stylesheet" type="text/css"> <link href="data/assets/117e56f7b51d43b9b3950693e5dec8a6.css?1725743940" rel="stylesheet" type="text/css"> <script type="text/javascript" src="data/assets/a7c2f3a028f17a9aa60f56dc9d6e732d.js?1725743962"></script> <script type="text/javascript"> <!-- YAHOO.namespace('bugzilla'); YAHOO.util.Event.addListener = function (el, sType, fn, obj, overrideContext) { if ( ("onpagehide" in window || YAHOO.env.ua.gecko) && sType === "unload") { sType = "pagehide"; }; var capture = ((sType == "focusin" || sType == "focusout") && !YAHOO.env.ua.ie) ? true : false; return this._addListener(el, this._getType(sType), fn, obj, overrideContext, capture); }; if ( "onpagehide" in window || YAHOO.env.ua.gecko) { YAHOO.util.Event._simpleRemove(window, "unload", YAHOO.util.Event._unload); } function unhide_language_selector() { YAHOO.util.Dom.removeClass( 'lang_links_container', 'bz_default_hidden' ); } YAHOO.util.Event.onDOMReady(unhide_language_selector); var BUGZILLA = { param: { cookiepath: '\/bugzilla\/', maxusermatches: 1000 }, constant: { COMMENT_COLS: 80 }, string: { attach_desc_required: "You must enter a Description for this attachment.", component_required: "You must select a Component for this bug.", description_required: "You must enter a Description for this bug.", short_desc_required: "You must enter a Summary for this bug.", version_required: "You must select a Version for this bug." } , api_token: '' }; if (history && history.replaceState) { if(!document.location.href.match(/show_bug\.cgi/)) { history.replaceState( null, "66429 – Limit access to Examples and Documentation by localhost only", "show_bug.cgi?id=66429" ); document.title = "66429 – Limit access to Examples and Documentation by localhost only"; } if (document.location.href.match(/show_bug\.cgi\?.*list_id=/)) { var href = document.location.href; href = href.replace(/[\?&]+list_id=(\d+|cookie)/, ''); history.replaceState(null, "66429 – Limit access to Examples and Documentation by localhost only", href); } } YAHOO.util.Event.onDOMReady(function() { initDirtyFieldTracking(); }); // --> </script> <script type="text/javascript" src="data/assets/daf5e0fb6826e6a35280e622913f0c4a.js?1725743963"></script> <link rel="search" type="application/opensearchdescription+xml" title="ASF Bugzilla" href="./search_plugin.cgi"> <link rel="shortcut icon" href="images/favicon.ico"> </head> <body class="bz-apache-org-bugzilla bz_bug bz_status_RESOLVED bz_product_Tomcat_11 bz_component_Examples bz_bug_66429 yui-skin-sam"> <div id="header"><div id="banner"> </div> <div id="titles"> <span id="title">ASF Bugzilla &ndash; Bug&nbsp;66429</span> <span id="subtitle" class="subheader">Limit access to Examples and Documentation by localhost only</span> <span id="information" class="header_addl_info">Last modified: 2023-02-15 19:32:19 UTC</span> </div> <div id="common_links"><ul id="useful-links"> <li id="links-actions"><ul class="links"> <li><a href="./">Home</a></li> <li><span class="separator">| </span><a href="enter_bug.cgi">New</a></li> <li><span class="separator">| </span><a href="describecomponents.cgi">Browse</a></li> <li><span class="separator">| </span><a href="query.cgi">Search</a></li> <li class="form"> <span class="separator">| </span> <form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '') { alert('Please enter one or more search terms first.'); return false; } return true;"> <input type="hidden" id="no_redirect_top" name="no_redirect" value="0"> <script type="text/javascript"> if (history && history.replaceState) { var no_redirect = document.getElementById("no_redirect_top"); no_redirect.value = 1; } </script> <input class="txt" type="text" id="quicksearch_top" name="quicksearch" aria-labelledby="find_top" title="Quick Search" value=""> <input class="btn" type="submit" value="Search" id="find_top"></form> <a href="page.cgi?id=quicksearch.html" title="Quicksearch Help">[?]</a></li> <li><span class="separator">| </span><a href="report.cgi">Reports</a></li> <li></li> <li> <span class="separator">| </span> <a href="docs/en/html/using/understanding.html" target="_blank">Help</a> </li> <li id="new_account_container_top"> <span class="separator">| </span> <a href="createaccount.cgi">New&nbsp;Account</a> </li> <li id="mini_login_container_top"> <span class="separator">| </span> <a id="login_link_top" href="show_bug.cgi?id=66429&amp;GoAheadAndLogIn=1" onclick="return show_mini_login_form('_top')">Log In</a> <form action="show_bug.cgi?id=66429" method="POST" class="mini_login bz_default_hidden" id="mini_login_top"> <input id="Bugzilla_login_top" required name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address"> <input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password_top" required placeholder="Password"> <input type="checkbox" id="Bugzilla_remember_top" name="Bugzilla_remember" value="on" class="bz_remember" checked> <label for="Bugzilla_remember_top">Remember</label> <input type="hidden" name="Bugzilla_login_token" value=""> <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_top"> <a href="#" onclick="return hide_mini_login_form('_top')">[x]</a> </form> </li> <li id="forgot_container_top"> <span class="separator">| </span> <a id="forgot_link_top" href="show_bug.cgi?id=66429&amp;GoAheadAndLogIn=1#forgot" onclick="return show_forgot_form('_top')">Forgot Password</a> <form action="token.cgi" method="post" id="forgot_form_top" class="mini_forgot bz_default_hidden"> <label for="login_top">Login:</label> <input name="loginname" size="20" id="login_top" required type="email" placeholder="Your Email Address"> <input id="forgot_button_top" value="Reset Password" type="submit"> <input type="hidden" name="a" value="reqpw"> <input type="hidden" id="token_top" name="token" value="1739814356-2dkzyNsx3SM_jdnr7RLgr4aGf3nlHMMF7R0aVC-toIE"> <a href="#" onclick="return hide_forgot_form('_top')">[x]</a> </form> </li> </ul> </li> </ul> </div> </div> <div id="bugzilla-body"> <script type="text/javascript"> <!-- //--> </script> <form name="changeform" id="changeform" method="post" action="process_bug.cgi"> <input type="hidden" name="delta_ts" value="2023-02-15 19:32:19"> <input type="hidden" name="id" value="66429"> <input type="hidden" name="token" value="1739814356-jT_z33d1hdLWvhOUcps4x7U0fiyyPGv4YBB-WJyhlkY"> <div class="bz_short_desc_container edit_form"> <a href="show_bug.cgi?id=66429"><b>Bug&nbsp;66429</b></a> <span id="summary_container" class="bz_default_hidden"> - <span id="short_desc_nonedit_display">Limit access to Examples and Documentation by localhost only</span> </span> <div id="summary_input"><span class="field_label " id="field_label_short_desc"> <a title="The bug summary is a short sentence which succinctly describes what the bug is about." class="field_help_link" href="page.cgi?id=fields.html#short_desc" >Summary:</a> </span>Limit access to Examples and Documentation by localhost only </div> </div> <script type="text/javascript"> hideEditableField('summary_container', 'summary_input', 'summary_edit_action', 'short_desc', 'Limit access to Examples and Documentation by localhost only' ); </script> <table class="edit_form"> <tr> <td id="bz_show_bug_column_1" class="bz_show_bug_column"> <table> <tr> <th class="field_label"> <a href="page.cgi?id=fields.html#bug_status">Status</a>: </th> <td id="bz_field_status"> <span id="static_bug_status">RESOLVED FIXED </span> </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_alias"> <a title="A short, unique name assigned to a bug in order to assist with looking it up and referring to it in other places in Bugzilla." class="field_help_link" href="page.cgi?id=fields.html#alias" >Alias:</a> </th> <td> None </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_product"> <a title="Bugs are categorised into Products and Components." class="field_help_link" href="describecomponents.cgi" >Product:</a> </th> <td class="field_value " id="field_container_product" >Tomcat 11 </td> </tr> <tr class="bz_default_hidden"><th class="field_label " id="field_label_classification"> <a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=fields.html#classification" >Classification:</a> </th> <td class="field_value " id="field_container_classification" >Unclassified </td> </tr> <tr><th class="field_label " id="field_label_component"> <a title="Components are second-level categories; each belongs to a particular Product. Select a Product to narrow down this list." class="field_help_link" href="describecomponents.cgi?product=Tomcat 11" >Component:</a> </th> <td class="field_value " id="field_container_component" >Examples (<a href="buglist.cgi?component=Examples&amp;product=Tomcat%2011&amp;bug_status=__open__" target="_blank">show other bugs</a>) </td> </tr> <tr><th class="field_label " id="field_label_version"> <a title="The version field defines the version of the software the bug was found in." class="field_help_link" href="page.cgi?id=fields.html#version" >Version:</a> </th> <td>unspecified </td> </tr> <tr><th class="field_label " id="field_label_rep_platform"> <a title="The hardware platform the bug was observed on. Note: When searching, selecting the option &quot;All&quot; only finds bugs whose value for this field is literally the word &quot;All&quot;." class="field_help_link" href="page.cgi?id=fields.html#rep_platform" >Hardware:</a> </th> <td class="field_value">PC All </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr> <th class="field_label"> <label accesskey="i"> <a href="page.cgi?id=fields.html#importance"><u>I</u>mportance</a></label>: </th> <td>P2 enhancement<span id="votes_container"> (<a href="page.cgi?id=voting/user.html&amp;bug_id=66429#vote_66429">vote</a>) </span> </td> </tr> <tr><th class="field_label " id="field_label_target_milestone"> <a title="The Target Milestone field is used to define when the engineer the bug is assigned to expects to fix it." class="field_help_link" href="page.cgi?id=fields.html#target_milestone" >Target Milestone:</a> </th><td>------- </td> </tr> <tr><th class="field_label " id="field_label_assigned_to"> <a title="The person in charge of resolving the bug." class="field_help_link" href="page.cgi?id=fields.html#assigned_to" >Assignee:</a> </th> <td><span class="vcard"><span class="fn">Tomcat Developers Mailing List</span> </span> </td> </tr> <script type="text/javascript"> assignToDefaultOnChange(['product', 'component'], 'dev\x40tomcat.apache.org', ''); </script> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_bug_file_loc"> <a title="Bugs can have a URL associated with them - for example, a pointer to a web site where the problem is seen." class="field_help_link" href="page.cgi?id=fields.html#bug_file_loc" >URL:</a> </th> <td> <span id="bz_url_input_area"> </span> </td> </tr> <tr><th class="field_label " id="field_label_keywords"> <a title="You can add keywords from a defined list to bugs, in order to easily identify and group them." class="field_help_link" href="describekeywords.cgi" >Keywords:</a> </th> <td class="field_value " id="field_container_keywords" > </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_dependson"> <a title="The bugs listed here must be resolved before this bug can be resolved." class="field_help_link" href="page.cgi?id=fields.html#dependson" >Depends on:</a> </th> <td> <span id="dependson_input_area"> </span> </td> </tr> <tr><th class="field_label " id="field_label_blocked"> <a title="This bug must be resolved before the bugs listed in this field can be resolved." class="field_help_link" href="page.cgi?id=fields.html#blocked" >Blocks:</a> </th> <td> <span id="blocked_input_area"> </span> </td> </tr> </table> </td> <td> <div class="bz_column_spacer">&nbsp;</div> </td> <td id="bz_show_bug_column_2" class="bz_show_bug_column"> <table> <tr> <th class="field_label"> Reported: </th> <td>2023-01-18 06:34 UTC by <span class="vcard"><span class="fn">Konstantin Kolinko</span> </span> </td> </tr> <tr> <th class="field_label"> Modified: </th> <td>2023-02-15 19:32 UTC (<a href="show_activity.cgi?id=66429">History</a>) </td> </tr> <tr> <th class="field_label"> <label accesskey="a"> CC List: </label> </th> <td>0 users <div id="cc_edit_area"> <br> </div> </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> </table> </td> </tr> <tr> <td colspan="3"> <hr id="bz_top_half_spacer"> </td> </tr> </table> <table id="bz_big_form_parts"> <tr> <td> <script type="text/javascript"> <!-- function toggle_display(link) { var table = document.getElementById("attachment_table"); var view_all = document.getElementById("view_all"); var hide_obsolete_url_parameter = "&hide_obsolete=1"; // Store current height for scrolling later var originalHeight = table.offsetHeight; var rows = YAHOO.util.Dom.getElementsByClassName( 'bz_tr_obsolete', 'tr', table); for (var i = 0; i < rows.length; i++) { bz_toggleClass(rows[i], 'bz_default_hidden'); } if (YAHOO.util.Dom.hasClass(rows[0], 'bz_default_hidden')) { link.innerHTML = "Show Obsolete"; view_all.href = view_all.href + hide_obsolete_url_parameter } else { link.innerHTML = "Hide Obsolete"; view_all.href = view_all.href.replace(hide_obsolete_url_parameter,""); } var newHeight = table.offsetHeight; // This scrolling makes the window appear to not move at all. window.scrollBy(0, newHeight - originalHeight); return false; } //--> </script> <br> <table id="attachment_table"> <tr id="a0"> <th colspan="2" class="left"> Attachments </th> </tr> <tr class="bz_attach_footer"> <td colspan="2"> <a href="attachment.cgi?bugid=66429&amp;action=enter">Add an attachment</a> (proposed patch, testcase, etc.) </td> </tr> </table> <br> <div id="add_comment" class="bz_section_additional_comments"> <table> <tr> <td> <fieldset> <legend>Note</legend> You need to <a href="show_bug.cgi?id=66429&amp;GoAheadAndLogIn=1">log in</a> before you can comment on or make changes to this bug. </fieldset> </td> </tr> </table> </div> </td> <td> </td> </tr></table> <div id="comments"><script src="js/comments.js?1474742097" type="text/javascript"> </script> <script type="text/javascript"> <!-- /* Adds the reply text to the 'comment' textarea */ function replyToComment(id, real_id, name) { var prefix = "(In reply to " + name + " from comment #" + id + ")\n"; var replytext = ""; /* pre id="comment_name_N" */ var text_elem = document.getElementById('comment_text_'+id); var text = getText(text_elem); replytext = prefix + wrapReplyText(text); /* <textarea id="comment"> */ var textarea = document.getElementById('comment'); if (textarea.value != replytext) { textarea.value += replytext; } textarea.focus(); } //--> </script> <!-- This auto-sizes the comments and positions the collapse/expand links to the right. --> <table class="bz_comment_table"> <tr> <td> <div id="c0" class="bz_comment bz_first_comment"> <div class="bz_first_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66429#c0">Description</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Konstantin Kolinko</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2023-01-18 06:34:56 UTC </span> </div> <pre class="bz_comment_text">I propose to limit access to Examples and Documentation that are bundled with Tomcat, so that they are accessible only from the loopback ip address. I mean, to configure an RemoteAddrValve, in the same way as has already been done for the Manager and Host-Manager web applications. &lt;Valve className=&quot;org.apache.catalina.valves.RemoteAddrValve&quot; allow=&quot;127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1&quot; /&gt; Justification: 1. According to the Apache Tomcat security considerations [1], it is recommended to remove these web applications, so that they are not exposed to the public. 2. Duplicate copies of documentation are indexed by search engines. Alternatively, this could be fought either with &quot;&lt;link rel=&quot;canonical&quot;&gt;&quot; [2], or by blocking indexing either with a robots.txt file (but ROOT is a separate web application, which makes such solution fragile), or with &quot;&lt;meta name=&quot;robots&quot; content=&quot;noindex, nofollow&quot;&gt;&quot; (but the same HTML pages are published to tomcat.apache.org). [1] <a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Default_web_applications">https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Default_web_applications</a> [2] <a rel="nofollow" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#attr-canonical">https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#attr-canonical</a></pre> </div> <div id="c1" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66429#c1">Comment 1</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Mark Thomas</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2023-02-15 19:32:19 UTC </span> </div> <pre class="bz_comment_text">Great idea. Implemented along with a custom 403 error page explaining how to enable access if required. Fixed in: - 11.0.x for 11.0.0-M3 onwards - 10.1.x for 10.1.6 onwards - 9.0.x for 9.0.72 onwards - 8.5.x for 8.5.86 onwards</pre> </div> </td> <td> </td> </tr></table> </div> </form> <hr> <ul class="related_actions"> <li><a href="show_bug.cgi?format=multiple&amp;id=66429">Format For Printing</a></li> <li>&nbsp;-&nbsp;<a href="show_bug.cgi?ctype=xml&amp;id=66429">XML</a></li> <li>&nbsp;-&nbsp;<a href="enter_bug.cgi?cloned_bug_id=66429">Clone This Bug</a></li> <li>&nbsp;-&nbsp;<a href="#">Top of page </a></li> </ul> <br> </div> <div id="footer"> <div class="intro"></div> This is <b>ASF Bugzilla</b>: the Apache Software Foundation bug system. In case of problems with the functioning of ASF Bugzilla, please contact <a href="mailto:bugzilla-admin@apache.org">bugzilla-admin@apache.org</a>. <b>Please Note:</b> this e-mail address is <b>only</b> for reporting problems with ASF Bugzilla. Mail about any other subject will be silently ignored. <ul id="useful-links"> <li id="links-actions"><ul class="links"> <li><a href="./">Home</a></li> <li><span class="separator">| </span><a href="enter_bug.cgi">New</a></li> <li><span class="separator">| </span><a href="describecomponents.cgi">Browse</a></li> <li><span class="separator">| </span><a href="query.cgi">Search</a></li> <li class="form"> <span class="separator">| </span> <form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '') { alert('Please enter one or more search terms first.'); return false; } return true;"> <input type="hidden" id="no_redirect_bottom" name="no_redirect" value="0"> <script type="text/javascript"> if (history && history.replaceState) { var no_redirect = document.getElementById("no_redirect_bottom"); no_redirect.value = 1; } </script> <input class="txt" type="text" id="quicksearch_bottom" name="quicksearch" aria-labelledby="find_bottom" title="Quick Search" value=""> <input class="btn" type="submit" value="Search" id="find_bottom"></form> <a href="page.cgi?id=quicksearch.html" title="Quicksearch Help">[?]</a></li> <li><span class="separator">| </span><a href="report.cgi">Reports</a></li> <li></li> <li> <span class="separator">| </span> <a href="docs/en/html/using/understanding.html" target="_blank">Help</a> </li> <li id="new_account_container_bottom"> <span class="separator">| </span> <a href="createaccount.cgi">New&nbsp;Account</a> </li> <li id="mini_login_container_bottom"> <span class="separator">| </span> <a id="login_link_bottom" href="show_bug.cgi?id=66429&amp;GoAheadAndLogIn=1" onclick="return show_mini_login_form('_bottom')">Log In</a> <form action="show_bug.cgi?id=66429" method="POST" class="mini_login bz_default_hidden" id="mini_login_bottom"> <input id="Bugzilla_login_bottom" required name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address"> <input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password_bottom" required placeholder="Password"> <input type="checkbox" id="Bugzilla_remember_bottom" name="Bugzilla_remember" value="on" class="bz_remember" checked> <label for="Bugzilla_remember_bottom">Remember</label> <input type="hidden" name="Bugzilla_login_token" value=""> <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_bottom"> <a href="#" onclick="return hide_mini_login_form('_bottom')">[x]</a> </form> </li> <li id="forgot_container_bottom"> <span class="separator">| </span> <a id="forgot_link_bottom" href="show_bug.cgi?id=66429&amp;GoAheadAndLogIn=1#forgot" onclick="return show_forgot_form('_bottom')">Forgot Password</a> <form action="token.cgi" method="post" id="forgot_form_bottom" class="mini_forgot bz_default_hidden"> <label for="login_bottom">Login:</label> <input name="loginname" size="20" id="login_bottom" required type="email" placeholder="Your Email Address"> <input id="forgot_button_bottom" value="Reset Password" type="submit"> <input type="hidden" name="a" value="reqpw"> <input type="hidden" id="token_bottom" name="token" value="1739814356-2dkzyNsx3SM_jdnr7RLgr4aGf3nlHMMF7R0aVC-toIE"> <a href="#" onclick="return hide_forgot_form('_bottom')">[x]</a> </form> </li> </ul> </li> </ul> <div class="outro"></div> </div> </body> </html>