Re: [whatwg/url] Addressing HTTP servers over Unix domain sockets (#577) from Peter H. Jin on 2024-09-30 (public-webapps-github@w3.org from September 2024)

From: Peter H. Jin <notifications@github.com>
Date: Mon, 30 Sep 2024 00:04:03 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/577/2382274787@github.com>

> > The same effect could be accomplished by putting one of those IP addresses into the /etc/hosts file, resulting in a mapping from a human-friendly domain to the IP address which maps to the unix socket.
> 
> That's what I was saying by "you don't have to manage numeric addresses". In your proposition, you would still have to maintain a (`/etc/hosts` file) mapping host names into IP addresses and your filesystem is now filled with numeric Unix socket addresses which are a lot less clearer than eg. [`/run/user/1000/dev/app.foo.localhost`](https://github.com/randomstuff/soxidizer).
> 

> > Only the unix sockets under path prefixes mentioned in a user-defined mapping would be visible to the application.
> 
> You can achieve the same effect by directly mapping some domain names into Unix socket paths (without the intermediate IPv6 address).
> 

Sure, and I guess you might be kind of right about that.

The mapping of IPv6 addressing to unix domain sockets in this manner was something that could be easily done in an LD_PRELOAD library, which ensured that it would also work with applications that resolved the domain name to an IP and connected to that IP without having to change the application. But the mapping might be a little bit more flexible because you can map multiple domains to a single IP, which can be useful for testing name based virtual hosting.

> Note: if you map host names to special IP addresses which are mapped to Unix sockets, you then have to decide what happens when you receive one of those special IPv6 address from the DNS. Accepting them might be a [vulnerability](https://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/) (and for example open up your service to DNS-rebinding attacks). Loopback IP addresses and private IP addresses are often filtered for this reason.

Any sane application will use security features like checking the Host header or rejecting an SSL certificate to prevent this. Besides, it doesn't need to be under fe8f::3:0:0/96, it could also be under an IPv4 loopback prefix.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/577#issuecomment-2382274787
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/577/2382274787@github.com>

Received on Monday, 30 September 2024 07:04:06 UTC