fish_config: Listen on both IPv6 and IPv4. #1324

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
5 participants
Contributor

anders commented Mar 4, 2014

Right now it only listens on IPv4. Let's take one step into the future ;)

@anders anders referenced this pull request Mar 4, 2014

Konrad Borowski Use 127.0.0.1 for fish config.
Before this change, fish config used 0 as its address. However, this
isn't a good idea from security point of view, as web service can be
accessed from everywhere, and do anything on the account it was ran on.

This also deals with firewalls which block the access to 0 even from
the host machine itself. It possibly might fix #673, but I'm not sure.
6d74978
Contributor

geoff-codes commented Mar 5, 2014

👍 For anyone who missed the memo, the discussion rationale for this PR is here.

Owner

ridiculousfish commented Mar 5, 2014

This breaks fish_config for me. In this test:

class FishConfigTCPServer(SocketServer.TCPServer):
    """TCPServer that only accepts connections from localhost (IPv4/IPv6)."""
    WHITELIST = set(['::1', '127.0.0.1'])

    address_family = socket.AF_INET6

    def verify_request(self, request, client_address):
        return client_address[0] in FishConfigTCPServer.WHITELIST

I see that client_address[0] is ::ffff:127.0.0.1, which is not in the whitelist, so is rejected by verify_request. Not sure what the right fix is.

Contributor

geoff-codes commented Mar 6, 2014

Grr.

@anders anders fish_config: Listen on both IPv6 and IPv4.
A subclass of TCPServer was created to deny any non-local connections and to
listen using an IPv6 socket.
53b4166
Contributor

anders commented Mar 6, 2014

Sorry, that was a dumb mistake of mine. Didn't take v4-mapped addresses into consideration. Fixed it

@siteshwar siteshwar commented on the diff Mar 6, 2014

share/tools/web_config/webconfig.py
@@ -411,6 +411,16 @@ def parse_binding(self):
return readable_command + result
+class FishConfigTCPServer(SocketServer.TCPServer):
@siteshwar

siteshwar Mar 6, 2014

Member

From http://docs.python.org/2/library/socketserver.html :

"Note The SocketServer module has been renamed to socketserver in Python 3. The 2to3 tool will automatically adapt imports when converting your sources to Python 3."

It would be nice if you could update this pull request and test it with python3 too.

@anders

anders Mar 6, 2014

Contributor

I don't have Python 3 (OS X) but the code already used SocketServer. If fish_config works with Python 3 now, then it should still work.

@xfix

xfix Mar 6, 2014

Member

@sisteshwar: socketserver for Python 3 is already imported correctly.

if IS_PY2:
    import SimpleHTTPServer
    import SocketServer
    try:
        from urllib.parse import parse_qs
    except ImportError:
        from cgi import parse_qs
else:
    import http.server as SimpleHTTPServer
    import socketserver as SocketServer
    from urllib.parse import parse_qs
Owner

ridiculousfish commented Mar 31, 2014

Works for me with Python 2 and 3. Thanks for the fix! Merged as 44b35f7

anders deleted the anders:ipv6-config branch Dec 1, 2014

anders restored the anders:ipv6-config branch Dec 1, 2014

anders deleted the anders:ipv6-config branch Dec 1, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment