-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block access to ::, ::ffff:0:0, and 0.0.0.0 #1763
base: main
Are you sure you want to change the base?
Conversation
Should this perhaps also include |
I got concerned when I saw an article on this bug. No offense, but given that y'all haven't patched it yet (thanks for working on this), would this little extension I tried to make for myself help protect me for now, while I wait for your actual, functional fix? |
@fogti I thought that could not be represented due to the way URL parsing works, but it seems I'm mistaken. Will have to look at that some more. I also realized this fix is incorrect as we should block this after resolving an origin to an IP address, not before. @MaraJadeLives I'm not sure who you mean by "y'all" but I no longer work for Mozilla. Also, this repository hosts the Fetch standard, not any particular implementation. |
@fogti @sysrqb @mozfreddyb @ricea could you all please review? Feel free to nominate others as well. (I looked into the URL Standard and it does seem to properly deal with |
I believe this should also block IPv4 mapped |
That would be |
I think we might need to include 6to4 which also includes v4 addresses in v6. Would that be 2002::/48? |
While not directly appropriate for this PR, we should think about adding a similar check as part of response blocking, as well. I'm thinking about some proxying protocols where DNS resolution is performed by the proxy, and the results are similarly undefined in that case. |
For 6to4 and Then furthermore, are we sure 6to4 and |
Definitively not; the Internet Protocol Version 6 Address Space registry includes the deprecated ::/96 "IPv4-compatible IPv6 address" and the IPv6 Special-Purpose Address Registry includes 64:ff9b::/96 as the well-known prefix for algorithmic translations and 64:ff9b:1::/48 as the prefix for local network domain translation. And RFC 6052 also allows networks to use their own self-chosen prefixes. |
@davidben do you have any concrete thoughts on what we should do here or know who to ask? |
Could we say something like this?
We should also reference all the known relevant RFCs. |
Maybe? Though also see my question above about the request already having left the end user's device. Is mapping to 0.0.0.0 still a problem if it happens on some intermediary? |
Fixes #1117.
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff