[rfc] [icedtea-web] restrict all connections to origins also to ports
Andrew Azores
aazores at redhat.com
Wed Oct 7 14:30:09 UTC 2015
On 07/10/15 10:22 AM, Jiri Vanek wrote:
> On 10/07/2015 04:18 PM, Andrew Azores wrote:
>> Hi,
>>
>> I think this looks mostly okay. One nit/question:
>>
>> On 06/10/15 08:12 AM, Jiri Vanek wrote:
>>> + public static int sanitizePort(final int port) {
>>> + if (port < 0) {
>>> + return 80;
>>> + }
>>> + return port;
>>> + }
>>
>> What if the connection isn't over HTTP? If it's HTTPS then should the
>> default port returned here
>> still be 80? What about for something even more different, like FTP?
>>
>
> Thats very valid point and very probably the reason why it was not there
> originally.
>
> The entrance for the callig methods ara url, so following the
> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>
> should be ok.
>
> J.
I don't follow... if I have a resource at
https://some.host.com/resource/path/app.jar , then attempting to connect
via "some.host.com:80" is either going to force an unsecure connection
to the server (uh-oh!) or just result in the webserver denying the
request, isn't it?
And if I have a resource on public FTP likewise at
ftp://some.host.com/resource/path/app.jar and try to connect via
"some.host.com:80", then the server might even just reject the
connection, if it's running only an FTP server on default port 21 and no
webserver on 80.
--
Thanks,
Andrew Azores
More information about the distro-pkg-dev
mailing list