This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
To strengthen security, the websocket server in: /netserver/src/org/netbeans/modules/netserver/SocketFramework.java /web.common/src/org/netbeans/modules/web/common/api/WebServer.java must only accept connections from localhost, not from other machines. This is an interim solution for 7.3 only, for post-7.3 we will want to think about another solution.
I will look at it. Not sure about TM.
David suggested this patch: diff --git a/netserver/src/org/netbeans/modules/netserver/SocketFramework.java b/netserver/src/org/netbeans/modules/netserver/SocketFramework.java --- a/netserver/src/org/netbeans/modules/netserver/SocketFramework.java +++ b/netserver/src/org/netbeans/modules/netserver/SocketFramework.java @@ -132,6 +132,11 @@ if (!key.isValid()) { continue; } + if (key.channel() instanceof SocketChannel && + (!((SocketChannel)key.channel()).socket().getInetAddress().isSiteLocalAddress())) { + close(key); + continue; + } try { process(key);
Unfortunately, David's patch does not work for me (Chrome will stay on the "blank" page). I am NOT expert in this area, but the proper solution seems to me to bind this server just to local address, it means to start it with: new InetSocketAddress("localhost", PORT).
One note to David's patch: not only isSiteLocalAddress() but also isLoopbackAddress() must be called. However, then anyone from local address (e.g. WiFi) can connect to the server and this is not what we want, at least now. Fixed by binding to the localhost, can be verified using netstat utility [1]. Fixed _only_ in branch release73 in the releases repo. Please verify, thanks. http://hg.netbeans.org/releases/rev/1bbf113ae327 [1] tcp6 0 0 127.0.0.1:8008 :::* LISTEN 18743/java
I forgot - as agreed with PetrJ, fixed only the websocket server, not the internal webserver. Thanks.
I tried the patch and its ok, I also tried simple inpection/debugging (just if it even works). I'll verify it tomorrow in RC.
Thanks a lot everyone.
Thanks for resolving this Tomas. My patch was an idea rather than know-how.
Integrated into 'releases', will be available in build *201301312200* or newer. Wait for official and publicly available build. Changeset: http://hg.netbeans.org/releases/rev/1bbf113ae327 User: Tomas Mysik <tmysik@netbeans.org> Log: #225592 - Internal websocket server must only accept connections from localhost
verified Product Version: NetBeans IDE 7.3 RC1 (Build 201301312200) Java: 1.6.0_38; Java HotSpot(TM) Client VM 20.13-b02 Runtime: Java(TM) SE Runtime Environment 1.6.0_38-b05 System: Linux version 3.2.0-35-generic-pae running on i386; UTF-8; en_US (nb)
Also transplanted to trunk: http://hg.netbeans.org/web-main/rev/71cb4f5aba4c
Integrated into 'main-golden', will be available in build *201302060843* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main-golden/rev/71cb4f5aba4c User: Tomas Mysik <tmysik@netbeans.org> Log: #225592 - Internal websocket server must only accept connections from localhost (transplanted from 1bbf113ae327f0712b9f9c0fcfffe359f1f9dd1a)