camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Claus Ibsen" <claus.ib...@gmail.com>
Subject Re: Hmm, that sounds like a security vulnerability.
Date Tue, 18 Nov 2008 09:38:17 GMT
Hi

We could also add a URI option as a flag for the any/localhost stuff
But what would a good option name be?

> from("jetty:http://any:1234/myPath?anyLocalhost=true").



/Claus Ibsen
Apache Camel Committer
Blog: http://davsclaus.blogspot.com/



On Tue, Nov 18, 2008 at 10:32 AM, Trevv <456@safe-mail.net> wrote:
>
>
> RomKal wrote:
>> (look at how 'netstat -an' shows ports bound to all interfaces).
> When I run 'netstat -an' some ports look like this:
>
> tcp        0      0 0.0.0.0:6031            0.0.0.0:*               LISTEN
>
> and some look like this:
>
> tcp6       0      0 :::7254                 :::*                    LISTEN
>
> What I'm curious about is how 0.0.0.0 would be handled in IPv6, but I
>> guess the port will be opened on all interfaces however they are
>> addressed - even if they have only IPv6 address assigned (but it is
>> something I don't really know). If it is not, then your point about
>> 0.0.0.0 and 0:0:0:0:0:0:0:0 is good.
> I'm not currently set up for IPv6 testing, but my intuition is that if
> there isn't any way to leave the bind address unspecified, then a person
> who wants to duplicate the behavior of a normal (unbound) ServerSocket
> might need to do something like this:
>
> from("jetty:http://0.0.0.0:1234/myPath").
>  to("direct:xyz");
> from("jetty:http://[::]:1234/myPath").
>  to("direct:xyz");
> from("direct:xyz")
>
> which seems unfortunate.
>
> Not to mention about the fact that 'any' is a legal host name.
> You're concerned that there might be someone who has a real interface
> named "any" and might want to bind a serversocket so that it accepts
> connections only through the interface named "any"?
>
> The cleanest solution would be just to omit the hostname, e.g.
>
> from("jetty:http://:1234/myPath")
>
> Unfortunately, although this syntax is legal under RFC 3986, it is illegal
> under RFC 2396.  To comply with RFC 2396, it is necessary to put some
> bogus hostname ahead of the port number.  And it ought to be a legal
> hostname, to guarantee that it can be stored in a URI without problems.
>
> If you're concerned that someone may want to bind a serversocket to a real
> interface named "any", perhaps it would be better to use a string that
> is more obscure.  How about "unspecified" or "anylocal" which are legal
> hostnames, but very unlikely to be used as the name of a real interface?
> Or... how about "wild.camel" as the magic hostname?
>
> from("jetty:http://wild.camel:1234/myPath")  // :-)
> --
> View this message in context: http://www.nabble.com/Jetty-and-Mina%3A-how-to-bind-to-%22anylocal%22-AKA-%22wildcard%22-address--tp20475674s22882p20556161.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
>

Mime
View raw message