So I Don’t Like System.Net.HttpListener

…or at least, I disagree with a design choice made in a class it uses – System.Net.EndPointManager

Backstory (Exposition)

I’ve been doing some work with the generally excellent Dekiwiki. It’s a descendant of MediaWiki, of WikipediA fame. (Does anyone actually capitalize the “A” in WikipediA? I just noticed it on the logo on their website. Really. Never saw it before. Anyway, back to our, umm, backstory…)

Dekiwiki provides some neat extension capabilities, and a useful REST API, and a really cool web service framework. Oh, and it comes with a wiki, too.

Inciting Incident

But I noticed that the dekiwiki API process (running in mono) listens on all interfaces of its port – not just localhost:

netstat -anp | grep 8081
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 31194/mono

Well, that was disturbing, because it means people from the Internet (you know, “bad guys”) can connect to this internal process.

Complications

There’s a configuration value that looks like it should limit it, in /etc/dekiwiki/mindtouch.host.conf:

# Port the API listens on
HTTP_PORT="8081"

# hostname to listen on
IP="127.0.0.1"

Rising Action

But it doesn’t.

Digging into the code (gotta love open source…), I found that it was just using the HttpListener class from Mono. HttpListener delegates to EndPointManager, which includes this code:

// Always listens on all the interfaces, no matter the host name/ip used.
EndPointListener epl = GetEPListener (IPAddress.Any, lp.Port, listener, lp.Secure);

Climax

And sure enough, some experimentation with IronPython and .Net on Windows

    from System.Net import *
    l=HttpListener()
    l.Prefixes.Add( "http://localhost:8080/" )
    l.Start()

showed that Microsoft works the same way.

netstatp -an | grep -B2 8080
[TCP] ipy.exe:3656
State: LISTENING
Local: 0.0.0.0:8080

*sigh*

Denouement

I can understand why – Microsoft wants the HttpListener class to work like virtual hosts in an HTTP 1.1 environment, so you can distinguish URL requests for different web applications by hostname, but that doesn’t mean the “bind sockets only to the appropriate interface” principle isn’t valuable, too.

But at least if you request something over that socket from an external host, you won’t match the specified URL prefix, so you’ll get an error. That’s something anyway. And you can always set up firewall rules to block the port…

kb

1 Comment »

  1. love spells Said,

    October 18, 2013 @ 7:15 am

    black magic spells wealth spells protection spells revenge spells love spells

Leave a Comment