From owner-freebsd-security@freebsd.org Thu Jan 25 11:19:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B06DED0B5E for ; Thu, 25 Jan 2018 11:19:17 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from lwfs1-cam.cam.lispworks.com (mail.lispworks.com [46.17.166.21]) by mx1.freebsd.org (Postfix) with ESMTP id 0A92076F45 for ; Thu, 25 Jan 2018 11:19:16 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.15.2/8.15.2) with ESMTP id w0PB8r2j099225; Thu, 25 Jan 2018 11:08:53 GMT (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id w0PB8qFx003474; Thu, 25 Jan 2018 11:08:52 GMT Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id w0PB8q1f003471; Thu, 25 Jan 2018 11:08:52 GMT Date: Thu, 25 Jan 2018 11:08:52 GMT Message-Id: <201801251108.w0PB8q1f003471@higson.cam.lispworks.com> From: Martin Simmons To: Roger Marquis CC: des@des.no, freebsd-security@freebsd.org In-reply-to: (message from Roger Marquis on Wed, 24 Jan 2018 12:02:47 -0800 (PST)) Subject: Re: Malicious URL ? https://[::]/ References: <86wp08fcil.fsf@desk.des.no> <86shawfccq.fsf@desk.des.no> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jan 2018 11:19:17 -0000 >>>>> On Wed, 24 Jan 2018 12:02:47 -0800 (PST), Roger Marquis said: > > Another intermediate URL-checker reports that the plugin in question > (CanvasBlocker) is requesting https://[::]/ directly. If a bug this is > the first I've seen of it's kind. If not the question is what threat > profile [::]:443 might expose. (Other than the obvious jail vector > which really should be fixed. FreeBSD Foundation where are you?) Looks like expected behaviour for CanvasBlocker: https://github.com/kkapsner/CanvasBlocker/issues/171 __Martin