[rfc] [icedtea-web] restrict all connections to origins also to ports

Jiri Vanek jvanek at redhat.com
Wed Oct 7 15:40:16 UTC 2015 

On 10/07/2015 05:35 PM, Andrew Azores wrote:
> On 07/10/15 10:45 AM, Jiri Vanek wrote:
>> On 10/07/2015 04:30 PM, Andrew Azores wrote:
>>> On 07/10/15 10:22 AM, Jiri Vanek wrote:
>>>> On 10/07/2015 04:18 PM, Andrew Azores wrote:
>>>>> Hi,
>>>>>
>>>>> I think this looks mostly okay. One nit/question:
>>>>>
>>>>> On 06/10/15 08:12 AM, Jiri Vanek wrote:
>>>>>> +    public static int sanitizePort(final int port) {
>>>>>> +        if (port < 0) {
>>>>>> +            return 80;
>>>>>> +        }
>>>>>> +        return port;
>>>>>> +    }
>>>>>
>>>>> What if the connection isn't over HTTP? If it's HTTPS then should the
>>>>> default port returned here
>>>>> still be 80? What about for something even more different, like FTP?
>>>>>
>>>>
>>>> Thats very valid point and very probably the reason why it was not there
>>>> originally.
>>>>
>>>> The entrance for the callig methods ara url, so following the
>>>> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>>>
>>>> should be ok.
>>>>
>>>> J.
>>>
>>> I don't follow... if I have a resource at
>>> https://some.host.com/resource/path/app.jar , then
>>> attempting to connect via "some.host.com:80" is either going to force
>>> an unsecure connection to the
>>> server (uh-oh!) or just result in the webserver denying the request,
>>> isn't it?
>>>
>>> And if I have a resource on public FTP likewise at
>>> ftp://some.host.com/resource/path/app.jar and try
>>> to connect via "some.host.com:80", then the server might even just
>>> reject the connection, if it's
>>> running only an FTP server on default port 21 and no webserver on 80.
>>>
>> Sorry, I was not clear.
>>
>> I meant to add mapping like
>> if port number was specifed, return that port
>> if not:
>> if protocol is http return 80
>> if it is https return 443
>> if it is ftp return 20
>> if it is scp return 22
>> if its telent  return..
>> ghoper.
>>
>> ... generally enything java have handler for
>>
>> I just updated the patch with
>> http://docs.oracle.com/javase/7/docs/api/java/net/URL.html#getDefaultPort%28%29
>>
>>
>> IS it ok for you now?
>
> Sounds good. Can you attach the updated patch? :)
>
Tahts little bit issue:( I have about four patches melded togehter and will knot them out before 
pushing.

Anyway - focusing to this hunk:

  public static int getSanitizedPort(final URL u) {
if (u.getPort() < 0) {
return u.getDefaultPort();
}
return u.getPort();
}

public static int getPort(final URL url) {
return getSanitizedPort(url);
}

public static String getHostAndPort(final URL url) {
return url.getHost() + ":" + getSanitizedPort(url);
}







     @Test
     public void sanitizePortTest() throws MalformedURLException {
         Assert.assertEquals(0, UrlUtils.getSanitizedPort(new URL("http://aaa.cz:0")));
         Assert.assertEquals(1, UrlUtils.getSanitizedPort(new URL("https://aaa.cz:1")));
         Assert.assertEquals(100, UrlUtils.getSanitizedPort(new URL("ftp://aaa.cz:100")));
         //Assert.assertEquals(1001, UrlUtils.getSanitizedPort(new URL("ssh://aaa.cz:1001"))); 
unknown protocol :(
         //Assert.assertEquals(22, UrlUtils.getSanitizedPort(new URL("ssh://aaa.cz")));
         Assert.assertEquals(80, UrlUtils.getSanitizedPort(new URL("http://aaa.cz")));
         Assert.assertEquals(443, UrlUtils.getSanitizedPort(new URL("https://aaa.cz")));
         Assert.assertEquals(21, UrlUtils.getSanitizedPort(new URL("ftp://aaa.cz")));

    }

     public void getPortTest() throws MalformedURLException {
         Assert.assertEquals(1, UrlUtils.getPort(new URL("http://aa.bb:1")));
         Assert.assertEquals(10, UrlUtils.getPort(new URL("http://aa.bb:10/aa")));
         Assert.assertEquals(1000, UrlUtils.getPort(new URL("http://aa.bb:1000/aa.fs")));
         Assert.assertEquals(443, UrlUtils.getPort(new URL("https://aa.bb/aa.fs")));
         Assert.assertEquals(80, UrlUtils.getPort(new URL("http://aa.bb")));
         Assert.assertEquals(80, UrlUtils.getPort(new URL("http://aa.bb:80/a/b/c")));
     }

     public void getHostAndPortTest() throws MalformedURLException {
         Assert.assertEquals("aa.bb:2", UrlUtils.getHostAndPort(new URL("http://aa.bb:2")));
         Assert.assertEquals("aa.bb:12", UrlUtils.getHostAndPort(new URL("http://aa.bb:12/aa")));
         Assert.assertEquals("aa.bb:1002", UrlUtils.getHostAndPort(new URL("http://aa.bb:1002/aa.fs")));
         Assert.assertEquals("aa.bb:443", UrlUtils.getHostAndPort(new URL("https://aa.bb/aa.fs")));
         Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new URL("http://aa.bb")));
         Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new URL("http://aa.bb:80/a/b/c")));
     }


as refracting remains same....

TY!


J.

More information about the distro-pkg-dev mailing list