Subject: Re: DNS issue with c-aress.

Re: DNS issue with c-aress.

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 16 Feb 2011 18:47:35 +0100 (CET)

On Wed, 16 Feb 2011, Greg Christopher wrote:

> Security issue:
>
> This creates a potentially bad situation. It's possible for systems to
> create listeners that only work on loopback. In those cases, you may have
> assurances that the connection can be trusted, so you don't do the normal
> authentication steps. Listening on a regular socket of course requires
> authentication and such.

/etc/hosts has been the place for localhost resolving for 40 something years,
I don't see why that all of a sudden introduces a security problem.

I can see how a windows app that is used to the Windows way of doing things
may believe that libcurl would work the same way as they're used to have
getaddrinfo() work on their platform, even if I personally see that as an
obvious hack:

getaddrinfo on Windows is documented
(http://msdn.microsoft.com/en-us/library/ms738520(v=vs.85).aspx) to return
"all loopback addresses on the local computer" when "localhost" is passed in.

Another funny quirk is: On Windows Server 2003 and later if the pNodeName
parameter points to a string equal to "..localmachine", all registered
addresses on the local computer are returned.

Anyone up for providing a patch that brings this "feature" to c-ares for
Windows?

-- 
  / daniel.haxx.se
Received on 2011-02-16