[cups.bugs] [MOD] STR #3162: IPv6 loopback address (::1) considered a bad host.
Michael Sweet
msweet at apple.com
Mon Apr 20 16:52:10 PDT 2009
[STR Closed w/o Resolution]
Sigh... The correct syntax for IPv6 addresses in Host: headers is supposed
to be "[address]", to match what is used in a URI.
See section 14.23 of the HTTP spec (RFC 2616). The host field from a URI
must be used, and numeric IPv6 addresses use the form [address] or
[v1.address] in order to avoid ambiguity with the port number, e.g.:
Host: ::1:631
is ambiguous, while:
Host: [::1]:631
is not.
That said, if GNOME or your Linux distro is using "::1" for the default
server name, they are broken. The usual default is a domain socket, with
"localhost" being used if the domain socket is not available.
In addition, hostname lookups do not affect local access checks, since
access from ::1, 127.0.0.1, or the domain socket use hardcoded tests to
specifically protect against DNS rebinding attacks on the loopback
interface.
Link: http://www.cups.org/str.php?L3162
Version: 1.3.10
Fix Version: Will Not Fix
More information about the cups-devel
mailing list