Hi Greg,
Am 16.02.2011 17:21, schrieb Greg Christopher:
> Curllib seems to be avoiding the windows API that does the lookup. Instead
> doing it's own, first looking in hosts and then going out to the net.
not curllib, but c-ares.
> Security issue:
>
> Conversely, when you write a local process that is supposed to _connect_ to
> a process on localhost such as the one above, it assumes it's going to get
> there, knows its connection will be trusted, and attempts the connection. This
> process could be sending sensitive data.
well, beside that the localhost entry might be missing in hosts it might
also happen that a virus/worm is able to change localhost to something
else than 127.0.0.1 (or its ipv6 counterpart).
So when you speak of security why need your app trust the hosts entry
for localhost at all? Why cant it just use 127.0.0.1 from the beginning,
and avoid any DNS resolve step at all?
Just a thought ...
Gün.
Received on 2011-02-16