camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hadrian Zbarcea <hzbar...@gmail.com>
Subject Re: Hmm, that sounds like a security vulnerability.
Date Tue, 18 Nov 2008 06:22:36 GMT
I agree with Roman, -1 from me as well.

It's interesting that localhost maps to the loopback address, while  
the hostname resolves to, well, a nic address, but there's no name  
defined by the standard to refer to "all nics".  This maybe a  
deficiency of the standard :).

I personally see no problem with specifying 0.0.0.0 if that's what's  
desired.  First of all this is server side configuration, which means  
that it needs to be changed in one place only when moving form ipv4 to  
ipv6 so clients will not need to be upgraded (plus such an address  
won't make any sense there).  If a users wants to make that change  
with zero code changes, it could use a property for the server address.

My $0.02,
Hadrian


On Nov 17, 2008, at 12:54 PM, Roman Kalukiewicz wrote:

> Right.. it is extremely important because when IPv8 and IPv9 is going
> to mainstream, Camel will already be very popular ;)
>
> But seriously now: I believe that an amount of magic increases when we
> see 'ANY' in a host part of URL and is lower when you see 0.0.0.0
> (look at how 'netstat -an' shows ports bound to all interfaces). Not
> to mention about the fact that 'any' is a legal host name.
>
> What I'm curious about is how 0.0.0.0 would be handled in IPv6, but I
> guess the port will be opened on all interfaces however they are
> addressed - even if they have only IPv6 address assigned (but it is
> something I don't really know). If it is not, then your point about
> 0.0.0.0 and 0:0:0:0:0:0:0:0 is good.
>
> So my opinion here is -1
> because of amount of magic that translates legal hostname to what is
> generally already handled by 0.0.0.0/0:0:0:0:0:0:0:0.
>
> Roman
>
> 2008/11/17 Trevv <456@safe-mail.net>:
>>
>> Specifying "0.0.0.0" isn't as good as specifying null, because when  
>> you
>> specify null you allow Sun's engineers (current or future) to make  
>> the
>> decision.  They can choose to interpret null as meaning both  
>> INADDR_ANY
>> and IN6ADDR_ANY, and they can add IN8ADDR_ANY and IN9ADDR_ANY later.
>>
>> I think requiring a person to specify "0.0.0.0" and "0:0:0:0:0:0:0:0"
>> explicitly would cause some unnecessary brittleness.
>>
>> How about this convention?  "jetty:http://any:1234/myPath" in which
>> "any" or "ANY" means to specify null as the bindAddr, or to use one  
>> of
>> the ServerSocket constructors that don't require bindAddr.
>> --
>> View this message in context: http://www.nabble.com/Jetty-and-Mina%3A-how-to-bind-to-%22anylocal%22-AKA-%22wildcard%22-address--tp20475674s22882p20536134.html
>> Sent from the Camel - Users mailing list archive at Nabble.com.
>>
>>


Mime
View raw message