Date: Wed, 24 Jan 2018 12:02:47 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: Malicious URL ? https://[::]/ Message-ID: <nycvar.OFS.7.76.1801241128280.56643@mx.roble.com> In-Reply-To: <86shawfccq.fsf@desk.des.no> References: <nycvar.OFS.7.76.1801220930100.41328@mx.roble.com> <86wp08fcil.fsf@desk.des.no> <86shawfccq.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Sm?rgrav wrote: > Hang on a sec ? localhost should be [::1], not [::], which is the > equivalent of 0.0.0.0. My guess is a software bug. Jails look a little > weird from the inside unless you use a fully virtualized network stack. > The proxy probably doesn't have sufficient error checking around > getpeername() or something like that. Another intermediate URL-checker reports that the plugin in question (CanvasBlocker) is requesting https://[::]/ directly. If a bug this is the first I've seen of it's kind. If not the question is what threat profile [::]:443 might expose. (Other than the obvious jail vector which really should be fixed. FreeBSD Foundation where are you?) Karl's reference to RFC 4291 indicates it is a protocol violation as well. The symptom has been reported to Mozilla. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.1801241128280.56643>