camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trevv <...@safe-mail.net>
Subject Re: Hmm, that sounds like a security vulnerability.
Date Wed, 19 Nov 2008 08:59:29 GMT

I agree that Claus's idea would solve the problem.  "Anylocalhost"
isn't quite right, but I think "anylocal" or "anylocaladdress" or
"allinterfaces" would be good.

RomKal wrote:
> But if you can address an endpoint (I believe you can) exposed with
> jetty:http://0.0.0.0:80/ with IPv6 then flag is not needed so
> definitely -1.
> 
> If someone knows it already, lets respond. Otherwise I'll try to
> verify it soon at home (as here I don't have IPv6 at all).
I don't think this is something that you can verify by testing,
because it might be implemented differently in different operating
systems.  I did a quick Web search, and the most relevant comment
that I found was this one, by an OS engineer at Sun:

Kacheong Poon wrote:
> 
> To make it easy for porting application from using IPv4 to IPv6,
> an interesting feature was introduced.  An IPv6 socket is allowed
> to receive both IPv4 and IPv6 traffic by default.  For example, an
> IPv6 TCP listening socket bind() to unspecified address and port
> x can receive connection requests from both IPv4 and IPv6 remote
> hosts to port x.  While porting is made easier, this is actually
> not "strictly correct."  Logically, IPv4 and IPv6 port spaces for
> transport protocols should be separate, hence this check in the
> code.
> 
> 
> http://mail.opensolaris.org/pipermail/networking-discuss/2005-November/011586.html
> [networking-discuss] Solaris socket bind() behavior 

In other words... it's complicated.  That's why I think that the
smartest thing to do, if you just want a normal serversocket, is
to leave the bind address as null, and let Sun's Java engineers
decide what to do, instead of trying to find a non-null string
that you think will have the same effect that null would have.

On the other hand... having to specify both 0.0.0.0 and [::] is
unfortunate, but not a disaster.  So I don't really need a fix.
-- 
View this message in context: http://www.nabble.com/Jetty-and-Mina%3A-how-to-bind-to-%22anylocal%22-AKA-%22wildcard%22-address--tp20475674s22882p20575883.html
Sent from the Camel - Users mailing list archive at Nabble.com.


Mime
View raw message