| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Oct 2003 19:19:56 +0000 From: Colm MacCarthaigh <colmmacc@...brick.dcu.ie> To: der Mouse <mouse@...ents.Montreal.QC.CA> Cc: bugtraq@...urityfocus.com Subject: Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI On Wed, Oct 29, 2003 at 01:06:55PM -0500, der Mouse wrote: > Also, note that the application can get whichever set of semantics it > prefers by explicitly setting the V6ONLY option on the socket; My main point is that this is not the case. The V6ONLY socket option is not honoured by some widely-deployed Operating Systems. Although the situation is rapidly improving, I would argue that it is currently still worth accompanying a recommendation of using explicit AF sockets with the excellent recommendation from section 4 of the I-D; "In EVERY application, check for IPv4-mapped addresses wherever addresses enter code paths under your control (i.e., are returned from system calls, or from library calls, or are input from the user or a file), and handle them in an appropriate manner. This approach is difficult in reality, and there is no way to determine whether it has been followed fully." Proposing "do not accept IPv4 traffic by using AF_INET6 socket" without even a "where available" qualifier as a solution is unsuitable and unrealistic. It is a simple fact of life that current application developers have to live with the fact that some OS's do not support this behaviour. -- colmmacc@...brick.dcu.ie PubKey: colmmacc+pgp@...brick.dcu.ie Web: http://devnull.redbrick.dcu.ie/
Powered by blists - more mailing lists