camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roman Kalukiewicz" <roman.kalukiew...@gmail.com>
Subject Re: Hmm, that sounds like a security vulnerability.
Date Tue, 18 Nov 2008 12:43:24 GMT
2008/11/18 Hadrian Zbarcea <hzbarcea@gmail.com>:
> I really don't see any difference between 0.0.0.0 as a hostname and
> anyLocalhost=true or allInterfaces=true attributes.  We'd have to either
> check for an attribute value or the hostname value.  When one reads a url,
> the semantics of 0.0.0.0 is pretty clear and we can put in the necessary
> code to deal with ipv6 (which i suspect it should be handled already
> anyway).

I would like to verify that 0.0.0.0 handles all IPv6 addresses also.
If it is the case, then definitelly any flag would be not needed.

> I'll give this a -1.  I'll gladly change my vote if I see a compelling
> argument.

But the reason Trevv would like to have this flag is to have an
ability to expose an endpoint on all interfaces regarding of their
address (IPv4 vs. IPv6) so instead of writing:

jetty:http://0.0.0.0:80/test AND jetty:http://[::0]:80/test you can
simply use the flag. Small improvement, but basically additional flag
is not a problem if it helps someone, and doesn't affect others.

But if you can address an endpoint (I believe you can) exposed with
jetty:http://0.0.0.0:80/ with IPv6 then flag is not needed so
definitely -1.

If someone knows it already, lets respond. Otherwise I'll try to
verify it soon at home (as here I don't have IPv6 at all).

>> This is what I really like. This way what we do is clear, and we
>> explicitely mark that we want to ignore host part of the uri.
>
> Yeah, a hostname of 0.0.0.0 would mean precisely the same thing.
> Cheers
> Hadrian
>
>
> On Nov 18, 2008, at 5:17 AM, Roman Kalukiewicz wrote:
>
>> 2008/11/18 Claus Ibsen <claus.ibsen@gmail.com>:
>>>
>>> Hi
>>>
>>> We could also add a URI option as a flag for the any/localhost stuff
>>> But what would a good option name be?
>>>
>>>> from("jetty:http://any:1234/myPath?anyLocalhost=true").
>>
>> This is what I really like. This way what we do is clear, and we
>> explicitely mark that we want to ignore host part of the uri.
>>
>> I would just change a parameter name to something like
>> 'allInterfaces=true'. The open question would be if we should default
>> this parameter to true or false?
>> * false is good, because URI is taken as a whole and nothing is
>> silently discarded by default
>> * true is good, because it is the most common usage and it is backward
>> compatible
>>
>> My choice would be *false* but it is only +0.5 - I'm not really convinced
>> ;)
>>
>> Anyway thanks Claus! I believe all interested parties are happy with
>> such a solution!
>>
>> Romek
>
>

Mime
View raw message