[rfc] [icedtea-web] restrict all connections to origins also to ports

Andrew Azores aazores at redhat.com
Wed Oct 7 15:41:46 UTC 2015 

On 07/10/15 11:40 AM, Jiri Vanek wrote:
> On 10/07/2015 05:35 PM, Andrew Azores wrote:
>> On 07/10/15 10:45 AM, Jiri Vanek wrote:
>>> On 10/07/2015 04:30 PM, Andrew Azores wrote:
>>>> On 07/10/15 10:22 AM, Jiri Vanek wrote:
>>>>> On 10/07/2015 04:18 PM, Andrew Azores wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I think this looks mostly okay. One nit/question:
>>>>>>
>>>>>> On 06/10/15 08:12 AM, Jiri Vanek wrote:
>>>>>>> +    public static int sanitizePort(final int port) {
>>>>>>> +        if (port < 0) {
>>>>>>> +            return 80;
>>>>>>> +        }
>>>>>>> +        return port;
>>>>>>> +    }
>>>>>>
>>>>>> What if the connection isn't over HTTP? If it's HTTPS then should the
>>>>>> default port returned here
>>>>>> still be 80? What about for something even more different, like FTP?
>>>>>>
>>>>>
>>>>> Thats very valid point and very probably the reason why it was not
>>>>> there
>>>>> originally.
>>>>>
>>>>> The entrance for the callig methods ara url, so following the
>>>>> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>>>>
>>>>> should be ok.
>>>>>
>>>>> J.
>>>>
>>>> I don't follow... if I have a resource at
>>>> https://some.host.com/resource/path/app.jar , then
>>>> attempting to connect via "some.host.com:80" is either going to force
>>>> an unsecure connection to the
>>>> server (uh-oh!) or just result in the webserver denying the request,
>>>> isn't it?
>>>>
>>>> And if I have a resource on public FTP likewise at
>>>> ftp://some.host.com/resource/path/app.jar and try
>>>> to connect via "some.host.com:80", then the server might even just
>>>> reject the connection, if it's
>>>> running only an FTP server on default port 21 and no webserver on 80.
>>>>
>>> Sorry, I was not clear.
>>>
>>> I meant to add mapping like
>>> if port number was specifed, return that port
>>> if not:
>>> if protocol is http return 80
>>> if it is https return 443
>>> if it is ftp return 20
>>> if it is scp return 22
>>> if its telent  return..
>>> ghoper.
>>>
>>> ... generally enything java have handler for
>>>
>>> I just updated the patch with
>>> http://docs.oracle.com/javase/7/docs/api/java/net/URL.html#getDefaultPort%28%29
>>>
>>>
>>>
>>> IS it ok for you now?
>>
>> Sounds good. Can you attach the updated patch? :)
>>
> Tahts little bit issue:( I have about four patches melded togehter and
> will knot them out before pushing.
>
> Anyway - focusing to this hunk:
>
>   public static int getSanitizedPort(final URL u) {
> if (u.getPort() < 0) {
> return u.getDefaultPort();
> }
> return u.getPort();
> }
>
> public static int getPort(final URL url) {
> return getSanitizedPort(url);
> }
>
> public static String getHostAndPort(final URL url) {
> return url.getHost() + ":" + getSanitizedPort(url);
> }
>
>
>
>
>
>
>
>      @Test
>      public void sanitizePortTest() throws MalformedURLException {
>          Assert.assertEquals(0, UrlUtils.getSanitizedPort(new
> URL("http://aaa.cz:0")));
>          Assert.assertEquals(1, UrlUtils.getSanitizedPort(new
> URL("https://aaa.cz:1")));
>          Assert.assertEquals(100, UrlUtils.getSanitizedPort(new
> URL("ftp://aaa.cz:100")));
>          //Assert.assertEquals(1001, UrlUtils.getSanitizedPort(new
> URL("ssh://aaa.cz:1001"))); unknown protocol :(
>          //Assert.assertEquals(22, UrlUtils.getSanitizedPort(new
> URL("ssh://aaa.cz")));
>          Assert.assertEquals(80, UrlUtils.getSanitizedPort(new
> URL("http://aaa.cz")));
>          Assert.assertEquals(443, UrlUtils.getSanitizedPort(new
> URL("https://aaa.cz")));
>          Assert.assertEquals(21, UrlUtils.getSanitizedPort(new
> URL("ftp://aaa.cz")));
>
>     }
>
>      public void getPortTest() throws MalformedURLException {
>          Assert.assertEquals(1, UrlUtils.getPort(new
> URL("http://aa.bb:1")));
>          Assert.assertEquals(10, UrlUtils.getPort(new
> URL("http://aa.bb:10/aa")));
>          Assert.assertEquals(1000, UrlUtils.getPort(new
> URL("http://aa.bb:1000/aa.fs")));
>          Assert.assertEquals(443, UrlUtils.getPort(new
> URL("https://aa.bb/aa.fs")));
>          Assert.assertEquals(80, UrlUtils.getPort(new
> URL("http://aa.bb")));
>          Assert.assertEquals(80, UrlUtils.getPort(new
> URL("http://aa.bb:80/a/b/c")));
>      }
>
>      public void getHostAndPortTest() throws MalformedURLException {
>          Assert.assertEquals("aa.bb:2", UrlUtils.getHostAndPort(new
> URL("http://aa.bb:2")));
>          Assert.assertEquals("aa.bb:12", UrlUtils.getHostAndPort(new
> URL("http://aa.bb:12/aa")));
>          Assert.assertEquals("aa.bb:1002", UrlUtils.getHostAndPort(new
> URL("http://aa.bb:1002/aa.fs")));
>          Assert.assertEquals("aa.bb:443", UrlUtils.getHostAndPort(new
> URL("https://aa.bb/aa.fs")));
>          Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new
> URL("http://aa.bb")));
>          Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new
> URL("http://aa.bb:80/a/b/c")));
>      }
>
>
> as refracting remains same....
>
> TY!
>
>
> J.

Okay, this looks good to me.

-- 
Thanks,

Andrew Azores

More information about the distro-pkg-dev mailing list