Skip to content

WasmAppHost: block port# 5060 and 5061, for the webserver #76485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 4, 2022
Merged

WasmAppHost: block port# 5060 and 5061, for the webserver #76485

merged 5 commits into from
Oct 4, 2022

Conversation

@kasperk81
Copy link
Contributor

@kasperk81 kasperk81 commented Oct 1, 2022

@ghost
Copy link

ghost commented Oct 1, 2022

I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label.

@ghost ghost added the community-contribution Indicates that the PR has been added by a community member label Oct 1, 2022
@filipnavara
Copy link
Member

filipnavara commented Oct 1, 2022

You don't need to loop. It's easy to just specify smaller range and +2 to the result if it's >= 5060.

@kasperk81
Copy link
Contributor Author

kasperk81 commented Oct 1, 2022

this is future-proof for additional port blocking

@filipnavara
Copy link
Member

filipnavara commented Oct 1, 2022
edited
Loading

You can apply the same idea in a generic way. Just subtract the size of the array of the blocked ports from the random range. Then loop over the array of blocked ports and increment the random number R by 1 for each array[i] >= R.

@ghost
Copy link

ghost commented Oct 1, 2022

Tagging subscribers to this area: @directhex
See info in area-owners.md if you want to be subscribed.

Issue Details

to avoid slipstream attack https://chromestatus.com/feature/5064283639513088

Author: kasperk81
Assignees: -
Labels:

area-Infrastructure-mono, community-contribution
Milestone: -

@pavelsavara
Copy link
Member

pavelsavara commented Oct 3, 2022
edited
Loading

Could you please add comment on why we are avoiding the ports ? Also see what browsers consider unsafe
#76236 (comment)

@kasperk81
Copy link
Contributor Author

kasperk81 commented Oct 3, 2022

comments added.

Also see what browsers consider unsafe #76236 (comment)

combination of those lists in case it is needed:

            1, // tcpmux
            7, // echo
            9, // discard
            11, // systat
            13, // daytime
            15, // netstat
            17, // qotd
            19, // chargen
            20, // FTP-data
            21, // FTP-control
            22, // SSH
            23, // telnet
            25, // SMTP
            37, // time
            42, // name
            43, // nicname
            53, // domain
            69, // TFTP
            77, // priv-rjs
            79, // finger
            87, // ttylink
            95, // supdup
            101, // hostriame
            102, // iso-tsap
            103, // gppitnp
            104, // acr-nema
            109, // POP2
            110, // POP3
            111, // sunrpc
            113, // auth
            115, // SFTP
            117, // uucp-path
            119, // nntp
            123, // NTP
            135, // loc-srv / epmap
            137, // NetBIOS
            139, // netbios
            143, // IMAP2
            161, // SNMP
            179, // BGP
            389, // LDAP
            427, // SLP (Also used by Apple Filing Protocol)
            465, // SMTP+SSL
            512, // print / exec
            513, // login
            514, // shell
            515, // printer
            526, // tempo
            530, // courier
            531, // Chat
            532, // netnews
            540, // UUCP
            548, // afpovertcp [Apple addition]
            554, // rtsp
            556, // remotefs
            563, // NNTP+SSL
            587, // ESMTP
            601, // syslog-conn
            636, // LDAP+SSL
            989, // ftps-data
            990, // ftps
            993, // IMAP+SSL
            995, // POP3+SSL
            1719, // H323 (RAS)
            1720, // H323 (Q931)
            1723, // H323 (H245)
            2049, // NFS
            3659, // apple-sasl / PasswordServer [Apple addition]
            4045, // lockd
            5060, // SIP
            5061, // SIPS
            6000, // X11
            6566, // SANE
            6665, // Alternate IRC [Apple addition]
            6666, // Alternate IRC [Apple addition]
            6667, // Standard IRC [Apple addition]
            6668, // Alternate IRC [Apple addition]
            6669, // Alternate IRC [Apple addition]
            6697, // IRC+SSL [Apple addition]
            10080, // amanda
            4190, // ManageSieve [Apple addition]
            6679, // Alternate IRC SSL [Apple addition]

pavelsavara
pavelsavara approved these changes Oct 3, 2022
View reviewed changes
Copy link
Member

@pavelsavara pavelsavara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after whitespace fix

@radical radical added the arch-wasm WebAssembly architecture label Oct 4, 2022
@ghost
Copy link

ghost commented Oct 4, 2022

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details

to avoid slipstream attack https://chromestatus.com/feature/5064283639513088

Author: kasperk81
Assignees: -
Labels:

arch-wasm, area-Build-mono, community-contribution
Milestone: -

@radical radical changed the title block port# 5060 and 5061 WasmAppHost: block port# 5060 and 5061, for the webserver Oct 4, 2022
@marek-safar marek-safar merged commit 1281a4a into dotnet:main Oct 4, 2022
@kasperk81 kasperk81 mentioned this pull request Oct 4, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Nov 3, 2022
@kasperk81 kasperk81 deleted the patch-3 branch September 23, 2024 23:10
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@radical radical radical approved these changes

@pavelsavara pavelsavara pavelsavara approved these changes

@lewing lewing Awaiting requested review from lewing lewing is a code owner

Assignees

No one assigned

Labels

arch-wasm WebAssembly architecture area-Build-mono community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@kasperk81 @filipnavara @pavelsavara @radical @marek-safar @jkotas