Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI

From: Colm MacCarthaigh (colmmacc_at_redbrick.dcu.ie)
Date: 10/29/03

  • Next message: Ragnar Sundblad: "Re: Mac OS X vulnerabilities ['Virus checked"]" 
    Date: Wed, 29 Oct 2003 19:19:56 +0000
To: der Mouse <mouse@Rodents.Montreal.QC.CA>

    On Wed, Oct 29, 2003 at 01:06:55PM -0500, der Mouse wrote:
    > Also, note that the application can get whichever set of semantics it
    > prefers by explicitly setting the V6ONLY option on the socket;

    My main point is that this is not the case. The V6ONLY socket option
    is not honoured by some widely-deployed Operating Systems.

    Although the situation is rapidly improving, I would argue that
    it is currently still worth accompanying a recommendation of using
    explicit AF sockets with the excellent recommendation from section
    4 of the I-D;

     "In EVERY application, check for IPv4-mapped addresses wherever
      addresses enter code paths under your control (i.e., are returned from
      system calls, or from library calls, or are input from the user or a
      file), and handle them in an appropriate manner. This approach is
      difficult in reality, and there is no way to determine whether it has
      been followed fully."

    Proposing "do not accept IPv4 traffic by using AF_INET6 socket" without
    even a "where available" qualifier as a solution is unsuitable and
    unrealistic. It is a simple fact of life that current application
    developers have to live with the fact that some OS's do not support
    this behaviour. 

    -- 
colmmacc@redbrick.dcu.ie        PubKey: colmmacc+pgp@redbrick.dcu.ie  
Web:                                 http://devnull.redbrick.dcu.ie/
  • Next message: Ragnar Sundblad: "Re: Mac OS X vulnerabilities ['Virus checked"]"