Bug 569560 - Integrated web server should only listen on localhost
Summary: Integrated web server should only listen on localhost
Status: NEW
Alias: None
Product: Platform
Classification: Eclipse Project
Component: User Assistance (show other bugs)
Version: 4.19   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Platform-UI-Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-08 14:02 EST by Denis Roy CLA
Modified: 2020-12-09 11:48 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Roy CLA 2020-12-08 14:02:51 EST 
I believe the integrated Jetty web server uses a tcp port to host the documentation, and binds that port to a network interface.

To help prevent security incidents, the Jetty server should only bind to the loopback interface (127.0.0.1)
Comment 1 Andrew Johnson CLA 2020-12-09 11:48:00 EST 
From a quick test on Windows and also on Ubuntu under Docker with an Eclipse RCP application based on 2020-03, help does seem to just listen on 127.0.0.1 and not the other interfaces.

This might be a place to check:
https://github.com/eclipse/eclipse.platform.ua/blob/master/org.eclipse.help.base/src/org/eclipse/help/internal/server/JettyHelpServer.java

There is this line:
if (BaseHelpSystem.getMode() == BaseHelpSystem.MODE_WORKBENCH) {
for forcing the binding.
It looks like 127.0.0.1 can be overridden by a plugin property "server_host".

However, 127.0.0.1 might not work for an IPv6 only system. On my Windows 10 machine, "ping localhost" pings ::1 so specifying localhost could get an IPv6 address.

127.0.0.1 is accessible to all local users though.

There is also the mode BaseHelpSystem.MODE_INFOCENTER which might want to listen on all interfaces.