camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Claus Ibsen" <>
Subject Re: Hmm, that sounds like a security vulnerability.
Date Tue, 18 Nov 2008 09:38:17 GMT

We could also add a URI option as a flag for the any/localhost stuff
But what would a good option name be?

> from("jetty:http://any:1234/myPath?anyLocalhost=true").

/Claus Ibsen
Apache Camel Committer

On Tue, Nov 18, 2008 at 10:32 AM, Trevv <> wrote:
> RomKal wrote:
>> (look at how 'netstat -an' shows ports bound to all interfaces).
> When I run 'netstat -an' some ports look like this:
> tcp        0      0  *               LISTEN
> and some look like this:
> tcp6       0      0 :::7254                 :::*                    LISTEN
> What I'm curious about is how would be handled in IPv6, but I
>> guess the port will be opened on all interfaces however they are
>> addressed - even if they have only IPv6 address assigned (but it is
>> something I don't really know). If it is not, then your point about
>> and 0:0:0:0:0:0:0:0 is good.
> I'm not currently set up for IPv6 testing, but my intuition is that if
> there isn't any way to leave the bind address unspecified, then a person
> who wants to duplicate the behavior of a normal (unbound) ServerSocket
> might need to do something like this:
> from("jetty:").
>  to("direct:xyz");
> from("jetty:http://[::]:1234/myPath").
>  to("direct:xyz");
> from("direct:xyz")
> which seems unfortunate.
> Not to mention about the fact that 'any' is a legal host name.
> You're concerned that there might be someone who has a real interface
> named "any" and might want to bind a serversocket so that it accepts
> connections only through the interface named "any"?
> The cleanest solution would be just to omit the hostname, e.g.
> from("jetty:http://:1234/myPath")
> Unfortunately, although this syntax is legal under RFC 3986, it is illegal
> under RFC 2396.  To comply with RFC 2396, it is necessary to put some
> bogus hostname ahead of the port number.  And it ought to be a legal
> hostname, to guarantee that it can be stored in a URI without problems.
> If you're concerned that someone may want to bind a serversocket to a real
> interface named "any", perhaps it would be better to use a string that
> is more obscure.  How about "unspecified" or "anylocal" which are legal
> hostnames, but very unlikely to be used as the name of a real interface?
> Or... how about "wild.camel" as the magic hostname?
> from("jetty:http://wild.camel:1234/myPath")  // :-)
> --
> View this message in context:
> Sent from the Camel - Users mailing list archive at

View raw message