I think Greg's point was that we should use system resolver if it is good.
IIUC "localhost" is handled correctly-ish on win* platforms either
through file or system code depending on version, c-ares uses only a
file (old win* version) which produces unexpected results (new win*
version). It is, in a way, a bug. If I use a big stack
(c-ares/libcurl/pycurl/python) and a program on top of that and
distribute the stack as binary, I'd like it to work on all versions of
win* same way as native win* programs do, well mostly. If it doesn't
it's a big kick in c-ares', libcurl's, pycurl's etc. nuts and
package/release has to use another resolver.
2c from someone who doesn't actually use localhost.
On 16 February 2011 10:47, Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Wed, 16 Feb 2011, Greg Christopher wrote:
>
>> Security issue:
>>
>> This creates a potentially bad situation. It's possible for systems to
>> create listeners that only work on loopback. In those cases, you may have
>> assurances that the connection can be trusted, so you don't do the normal
>> authentication steps. Listening on a regular socket of course requires
>> authentication and such.
>
> /etc/hosts has been the place for localhost resolving for 40 something
> years, I don't see why that all of a sudden introduces a security problem.
>
> I can see how a windows app that is used to the Windows way of doing things
> may believe that libcurl would work the same way as they're used to have
> getaddrinfo() work on their platform, even if I personally see that as an
> obvious hack:
>
> getaddrinfo on Windows is documented
> (http://msdn.microsoft.com/en-us/library/ms738520(v=vs.85).aspx) to return
> "all loopback addresses on the local computer" when "localhost" is passed
> in.
>
> Another funny quirk is: On Windows Server 2003 and later if the pNodeName
> parameter points to a string equal to "..localmachine", all registered
> addresses on the local computer are returned.
>
> Anyone up for providing a patch that brings this "feature" to c-ares for
> Windows?
>
> --
>
> / daniel.haxx.se
>
Received on 2011-02-16