Dag-Erling Sm?rgrav <des at des.no> writes:> Basically the IPv6 equivalent of https://127.0.0.1/. ?[::]? is the > bracketed literal representation of the IPv6 localhost address.Hang on a sec ? localhost should be [::1], not [::], which is the equivalent of 0.0.0.0. My guess is a software bug. Jails look a little weird from the inside unless you use a fully virtualized network stack. The proxy probably doesn't have sufficient error checking around getpeername() or something like that. DES -- Dag-Erling Sm?rgrav - des at des.no
Dag-Erling Sm?rgrav wrote:> Hang on a sec ? localhost should be [::1], not [::], which is the > equivalent of 0.0.0.0. My guess is a software bug. Jails look a little > weird from the inside unless you use a fully virtualized network stack. > The proxy probably doesn't have sufficient error checking around > getpeername() or something like that.Another intermediate URL-checker reports that the plugin in question (CanvasBlocker) is requesting https://[::]/ directly. If a bug this is the first I've seen of it's kind. If not the question is what threat profile [::]:443 might expose. (Other than the obvious jail vector which really should be fixed. FreeBSD Foundation where are you?) Karl's reference to RFC 4291 indicates it is a protocol violation as well. The symptom has been reported to Mozilla. Roger