Server information disclosure with default configuration
jkushmaul opened this issue · 3 comments
Expected result:
To not have stack trace or server iden information by default in any responses.
Actual:
There is stack trace and server version information exposed by default configurations
Reproduce:
Run default config
docker run --rm --name tomcat-fail-demo -it -p 8080:8080 tomcat:9.0.79-jdk17
Provoke an http level error:
curl -v 'http://localhost:8080/showmesomeinfo"'
(The improper encoding of "
is the trigger for the exception, it's invalid but curl doesn't care so sends it as is)
Response:
> GET /showmesomeinfo" HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 400
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 2035
< Date: Fri, 25 Aug 2023 19:18:41 GMT
< Connection: close
<
<!doctype html><html lang="en"><head><title>HTTP Status 400
...
The valid characters are defined in RFC 7230 and RFC 3986
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:490)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:263)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
...
<h3>Apache Tomcat/9.0.79</h3>
Versions reproduced:
- tomcat:9.0.79-jdk17
- tomcat:10.1.12-jdk17
- tomcat:11.0.0-jdk17
Workaround:
patching the file is a terrible way to do this - obviously would use some kind of xpath etc. But for this issue I'm trying to give a fully isolated and reproducible example so keeping it simple with a patch.
DOCKER_FILE='FROM tomcat:9.0.79-jdk17-temurin-focal as base
FROM base as patcher
RUN apt-get -y update && apt-get install -y patch && apt-get -y clean && rm -rf /var/lib/apt/lists/*
ARG DIFF_SERVER_XML
RUN echo "$DIFF_SERVER_XML" > server.xml.patch
RUN patch /usr/local/tomcat/conf/server.xml server.xml.patch
FROM base as patched
COPY --from=patcher /usr/local/tomcat/conf/server.xml /usr/local/tomcat/conf/server.xml
'
DIFF_SERVER_XML='--- docker/server.orig.xml 2023-08-08 16:41:26.000000000 -0400
+++ docker/server.xml 2023-08-25 16:38:40.277441440 -0400
@@ -161,6 +161,9 @@
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
+ <Valve className="org.apache.catalina.valves.ErrorReportValve"
+ showReport="false"
+ showServerInfo="false" />
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
'
echo "$DOCKER_FILE" | docker build --progress plain -t mod-tomcat:9.0.79-jdk17 --build-arg DIFF_SERVER_XML="$DIFF_SERVER_XML" -
- Run it:
docker run --rm -it --name mod-tomcat -p 8080:8080 mod-tomcat:9.0.79-jdk17
- Cause the error:
curl -v 'http://localhost:8080/showmesomeinfo"'
- Note that there is no longer an error - also - the server identification is also gone.
Since the configuration file is used directly from the dist of tomcat - I will copy this ticket there as well. More than likely you'll want it fixed there, instead.