[rfc] [icedtea-web] restrict all connections to origins also to ports
Andrew Azores
aazores at redhat.com
Wed Oct 7 15:35:15 UTC 2015
On 07/10/15 10:45 AM, Jiri Vanek wrote:
> On 10/07/2015 04:30 PM, Andrew Azores wrote:
>> On 07/10/15 10:22 AM, Jiri Vanek wrote:
>>> On 10/07/2015 04:18 PM, Andrew Azores wrote:
>>>> Hi,
>>>>
>>>> I think this looks mostly okay. One nit/question:
>>>>
>>>> On 06/10/15 08:12 AM, Jiri Vanek wrote:
>>>>> + public static int sanitizePort(final int port) {
>>>>> + if (port < 0) {
>>>>> + return 80;
>>>>> + }
>>>>> + return port;
>>>>> + }
>>>>
>>>> What if the connection isn't over HTTP? If it's HTTPS then should the
>>>> default port returned here
>>>> still be 80? What about for something even more different, like FTP?
>>>>
>>>
>>> Thats very valid point and very probably the reason why it was not there
>>> originally.
>>>
>>> The entrance for the callig methods ara url, so following the
>>> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>>
>>> should be ok.
>>>
>>> J.
>>
>> I don't follow... if I have a resource at
>> https://some.host.com/resource/path/app.jar , then
>> attempting to connect via "some.host.com:80" is either going to force
>> an unsecure connection to the
>> server (uh-oh!) or just result in the webserver denying the request,
>> isn't it?
>>
>> And if I have a resource on public FTP likewise at
>> ftp://some.host.com/resource/path/app.jar and try
>> to connect via "some.host.com:80", then the server might even just
>> reject the connection, if it's
>> running only an FTP server on default port 21 and no webserver on 80.
>>
> Sorry, I was not clear.
>
> I meant to add mapping like
> if port number was specifed, return that port
> if not:
> if protocol is http return 80
> if it is https return 443
> if it is ftp return 20
> if it is scp return 22
> if its telent return..
> ghoper.
>
> ... generally enything java have handler for
>
> I just updated the patch with
> http://docs.oracle.com/javase/7/docs/api/java/net/URL.html#getDefaultPort%28%29
>
>
> IS it ok for you now?
Sounds good. Can you attach the updated patch? :)
--
Thanks,
Andrew Azores
More information about the distro-pkg-dev
mailing list