Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-1232478

Internet address dotted-style hostnames broken for applets

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      1.0fcs
    • CPU:
      sparc
    • OS:
      solaris_2.4
    • Verification:
      Not verified

      Description

      [jdn December 20, 1995]
      If an applet tries to open a socket to a host using a dotted-style
      hostname string based on the IP address such as "129.144.46.114" it incorrectly gets an
      AppletSecurityException.

      This is caused by checkConnect() in
      src/share/sun/applet/AppletSecurity.java around line 356 calling
      InetAddress.getAllByName(). In turn, getAllByName() in
      src/share/java/java/net/InetAddress.java around line 250 calls
      lookupAllHostAddr() which is a native method implemented by
      java_net_InetAddress_lookupAllHostAddr() in src/solaris/java/runtime/socket.c.

      The bug is in java_net_InetAddress_lookupAllHostAddr() around line
      178 where it always throws an UnknownHostException if the hostname contains
      any digits (as in a dotted-style hostname). It seems to me that
      java_net_InetAddress_lookupAllHostAddr() is just a multi-address version of
      java_net_InetAddress_lookupHostAddr() which does handle dotted-style hostnames --
      starting at line 125. These two should be consistent. Dotted-style hostnames should
      be allowed since I don't know of any security hole they would cause and they
      used to be allowed. They are necessary when you know the 4-byte IP address but
      not the DNS-style hostname string. We need this for Java NEO (Joe). We can workaround
      it in many cases but may not have complete functionality.

      BTW, dotted-style host addresses seem to work for URL's (in HotJava
      for example) but I think this is because they get to bypass the security checks
      around line 319 in AppletSecurity.java where it checks if the socket connection
      request is being generated via sun.net.www.http.HttpClient.

      NOTE: The actual release that we are working with is a November 13
      snapshot of HotJava that falls somewhere between 1.0beta and 1.0beta2. We haven't
      had a chance to verify this yet against 1.0beta2 since we are still changing some
      of our sources to deal with recent language changes.

        Attachments

          Activity

            People

            Assignee:
            busersunw Btplusnull User (Inactive)
            Reporter:
            jdn Jeffrey Nisewanger (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: