[rfc] [icedtea-web] restrict all connections to origins also to ports

Jiri Vanek jvanek at redhat.com
Thu Oct 8 10:16:31 UTC 2015 

On 10/07/2015 05:41 PM, Andrew Azores wrote:
> On 07/10/15 11:40 AM, Jiri Vanek wrote:
>> On 10/07/2015 05:35 PM, Andrew Azores wrote:
>>> On 07/10/15 10:45 AM, Jiri Vanek wrote:
>>>> On 10/07/2015 04:30 PM, Andrew Azores wrote:
>>>>> On 07/10/15 10:22 AM, Jiri Vanek wrote:
>>>>>> On 10/07/2015 04:18 PM, Andrew Azores wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I think this looks mostly okay. One nit/question:
>>>>>>>
>>>>>>> On 06/10/15 08:12 AM, Jiri Vanek wrote:
>>>>>>>> +    public static int sanitizePort(final int port) {
>>>>>>>> +        if (port < 0) {
>>>>>>>> +            return 80;
>>>>>>>> +        }
>>>>>>>> +        return port;
>>>>>>>> +    }
>>>>>>>
>>>>>>> What if the connection isn't over HTTP? If it's HTTPS then should the
>>>>>>> default port returned here
>>>>>>> still be 80? What about for something even more different, like FTP?
>>>>>>>
>>>>>>
>>>>>> Thats very valid point and very probably the reason why it was not
>>>>>> there
>>>>>> originally.
>>>>>>
>>>>>> The entrance for the callig methods ara url, so following the
>>>>>> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>>>>>
>>>>>> should be ok.
>>>>>>
>>>>>> J.
>>>>>
>>>>> I don't follow... if I have a resource at
>>>>> https://some.host.com/resource/path/app.jar , then
>>>>> attempting to connect via "some.host.com:80" is either going to force
>>>>> an unsecure connection to the
>>>>> server (uh-oh!) or just result in the webserver denying the request,
>>>>> isn't it?
>>>>>
>>>>> And if I have a resource on public FTP likewise at
>>>>> ftp://some.host.com/resource/path/app.jar and try
>>>>> to connect via "some.host.com:80", then the server might even just
>>>>> reject the connection, if it's
>>>>> running only an FTP server on default port 21 and no webserver on 80.
>>>>>
>>>> Sorry, I was not clear.
>>>>
>>>> I meant to add mapping like
>>>> if port number was specifed, return that port
>>>> if not:
>>>> if protocol is http return 80
>>>> if it is https return 443
>>>> if it is ftp return 20
>>>> if it is scp return 22
>>>> if its telent  return..
>>>> ghoper.
>>>>
>>>> ... generally enything java have handler for
>>>>
>>>> I just updated the patch with
>>>> http://docs.oracle.com/javase/7/docs/api/java/net/URL.html#getDefaultPort%28%29
>>>>
>>>>
>>>>
>>>> IS it ok for you now?
>>>
>>> Sounds good. Can you attach the updated patch? :)
>>>
>> Tahts little bit issue:( I have about four patches melded togehter and
>> will knot them out before pushing.
>>
>> Anyway - focusing to this hunk:
>>
>>   public static int getSanitizedPort(final URL u) {
>> if (u.getPort() < 0) {
>> return u.getDefaultPort();
>> }
>> return u.getPort();
>> }
>>
>> public static int getPort(final URL url) {
>> return getSanitizedPort(url);
>> }
>>
>> public static String getHostAndPort(final URL url) {
>> return url.getHost() + ":" + getSanitizedPort(url);
>> }
>>
>>
>>
>>
>>
>>
>>
>>      @Test
>>      public void sanitizePortTest() throws MalformedURLException {
>>          Assert.assertEquals(0, UrlUtils.getSanitizedPort(new
>> URL("http://aaa.cz:0")));
>>          Assert.assertEquals(1, UrlUtils.getSanitizedPort(new
>> URL("https://aaa.cz:1")));
>>          Assert.assertEquals(100, UrlUtils.getSanitizedPort(new
>> URL("ftp://aaa.cz:100")));
>>          //Assert.assertEquals(1001, UrlUtils.getSanitizedPort(new
>> URL("ssh://aaa.cz:1001"))); unknown protocol :(
>>          //Assert.assertEquals(22, UrlUtils.getSanitizedPort(new
>> URL("ssh://aaa.cz")));
>>          Assert.assertEquals(80, UrlUtils.getSanitizedPort(new
>> URL("http://aaa.cz")));
>>          Assert.assertEquals(443, UrlUtils.getSanitizedPort(new
>> URL("https://aaa.cz")));
>>          Assert.assertEquals(21, UrlUtils.getSanitizedPort(new
>> URL("ftp://aaa.cz")));
>>
>>     }
>>
>>      public void getPortTest() throws MalformedURLException {
>>          Assert.assertEquals(1, UrlUtils.getPort(new
>> URL("http://aa.bb:1")));
>>          Assert.assertEquals(10, UrlUtils.getPort(new
>> URL("http://aa.bb:10/aa")));
>>          Assert.assertEquals(1000, UrlUtils.getPort(new
>> URL("http://aa.bb:1000/aa.fs")));
>>          Assert.assertEquals(443, UrlUtils.getPort(new
>> URL("https://aa.bb/aa.fs")));
>>          Assert.assertEquals(80, UrlUtils.getPort(new
>> URL("http://aa.bb")));
>>          Assert.assertEquals(80, UrlUtils.getPort(new
>> URL("http://aa.bb:80/a/b/c")));
>>      }
>>
>>      public void getHostAndPortTest() throws MalformedURLException {
>>          Assert.assertEquals("aa.bb:2", UrlUtils.getHostAndPort(new
>> URL("http://aa.bb:2")));
>>          Assert.assertEquals("aa.bb:12", UrlUtils.getHostAndPort(new
>> URL("http://aa.bb:12/aa")));
>>          Assert.assertEquals("aa.bb:1002", UrlUtils.getHostAndPort(new
>> URL("http://aa.bb:1002/aa.fs")));
>>          Assert.assertEquals("aa.bb:443", UrlUtils.getHostAndPort(new
>> URL("https://aa.bb/aa.fs")));
>>          Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new
>> URL("http://aa.bb")));
>>          Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new
>> URL("http://aa.bb:80/a/b/c")));
>>      }
>>
>>
>> as refracting remains same....
>>
>> TY!
>>
>>
>> J.
>
> Okay, this looks good to me.
>
Ok. POushed to both head and 1.69 ... whaty baout 1.5? it do not apply cleanly andneeds some 
tuning..hmhm :(

?

J.

More information about the distro-pkg-dev mailing list