Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block access to ::, ::ffff:0:0, and 0.0.0.0 #1763

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Block access to ::, ::ffff:0:0, and 0.0.0.0 #1763

wants to merge 4 commits into from

Conversation

annevk
Copy link
Member

@annevk annevk commented Jul 10, 2024
edited by pr-preview bot

Fixes #1117.

  • At least two implementers are interested (and none opposed):
    • N/A
  • Tests are written and can be reviewed and commented upon at:
    • Not testable unfortunately
  • Implementation bugs are filed:
    • N/A
  • MDN issue is filed: N/A
  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

Preview | Diff

@fogti
Copy link

fogti commented Aug 9, 2024

Should this perhaps also include :: (IPv6)?

@MaraJadeLives
Copy link

MaraJadeLives commented Aug 9, 2024
edited

I got concerned when I saw an article on this bug. No offense, but given that y'all haven't patched it yet (thanks for working on this), would this little extension I tried to make for myself help protect me for now, while I wait for your actual, functional fix?
https://github.com/MaraJadeLives/0blocker/tree/main

@annevk
Copy link
Member Author

annevk commented Aug 11, 2024

@fogti I thought that could not be represented due to the way URL parsing works, but it seems I'm mistaken. Will have to look at that some more.

I also realized this fix is incorrect as we should block this after resolving an origin to an IP address, not before.

@MaraJadeLives I'm not sure who you mean by "y'all" but I no longer work for Mozilla. Also, this repository hosts the Fetch standard, not any particular implementation.

@annevk annevk changed the title Block access to 0.0.0.0 Block access to :: and 0.0.0.0 Aug 19, 2024
@annevk
Copy link
Member Author

annevk commented Aug 19, 2024

@fogti @sysrqb @mozfreddyb @ricea could you all please review? Feel free to nominate others as well.

(I looked into the URL Standard and it does seem to properly deal with :: (which is identical to ::0). I had just forgotten about it.)

@valenting
Copy link

I believe this should also block IPv4 mapped ::ffff:0.0.0.0

@annevk
Copy link
Member Author

annevk commented Aug 19, 2024

That would be ::ffff:0:0 normalized. Interesting. Will add.

@annevk annevk changed the title Block access to :: and 0.0.0.0 Block access to ::, ::ffff:0:0, and 0.0.0.0 Aug 19, 2024
@mozfreddyb
Copy link
Collaborator

I think we might need to include 6to4 which also includes v4 addresses in v6. Would that be 2002::/48?

@sysrqb
Copy link

sysrqb commented Aug 21, 2024

While not directly appropriate for this PR, we should think about adding a similar check as part of response blocking, as well. I'm thinking about some proxying protocols where DNS resolution is performed by the proxy, and the results are similarly undefined in that case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Should 0.0.0.0 always be a network error?
6 participants
@annevk @fogti @MaraJadeLives @valenting @mozfreddyb @sysrqb