P2
[jdn December 20, 1995]
If an applet tries to open a socket to a host using a dotted-style
hostname string based on the IP address such as "129.144.46.114" it incorrectly gets an
AppletSecurityException.
This is caused by checkConnect() in
src/share/sun/applet/AppletSecurity.java around line 356 calling
InetAddress.getAllByName(). In turn, getAllByName() in
src/share/java/java/net/InetAddress.java around line 250 calls
lookupAllHostAddr() which is a native method implemented by
java_net_InetAddress_lookupAllHostAddr() in src/solaris/java/runtime/socket.c.
The bug is in java_net_InetAddress_lookupAllHostAddr() around line
178 where it always throws an UnknownHostException if the hostname contains
any digits (as in a dotted-style hostname). It seems to me that
java_net_InetAddress_lookupAllHostAddr() is just a multi-address version of
java_net_InetAddress_lookupHostAddr() which does handle dotted-style hostnames --
starting at line 125. These two should be consistent. Dotted-style hostnames should
be allowed since I don't know of any security hole they would cause and they
used to be allowed. They are necessary when you know the 4-byte IP address but
not the DNS-style hostname string. We need this for Java NEO (Joe). We can workaround
it in many cases but may not have complete functionality.
BTW, dotted-style host addresses seem to work for URL's (in HotJava
for example) but I think this is because they get to bypass the security checks
around line 319 in AppletSecurity.java where it checks if the socket connection
request is being generated via sun.net.www.http.HttpClient.
NOTE: The actual release that we are working with is a November 13
snapshot of HotJava that falls somewhere between 1.0beta and 1.0beta2. We haven't
had a chance to verify this yet against 1.0beta2 since we are still changing some
of our sources to deal with recent language changes.
If an applet tries to open a socket to a host using a dotted-style
hostname string based on the IP address such as "129.144.46.114" it incorrectly gets an
AppletSecurityException.
This is caused by checkConnect() in
src/share/sun/applet/AppletSecurity.java around line 356 calling
InetAddress.getAllByName(). In turn, getAllByName() in
src/share/java/java/net/InetAddress.java around line 250 calls
lookupAllHostAddr() which is a native method implemented by
java_net_InetAddress_lookupAllHostAddr() in src/solaris/java/runtime/socket.c.
The bug is in java_net_InetAddress_lookupAllHostAddr() around line
178 where it always throws an UnknownHostException if the hostname contains
any digits (as in a dotted-style hostname). It seems to me that
java_net_InetAddress_lookupAllHostAddr() is just a multi-address version of
java_net_InetAddress_lookupHostAddr() which does handle dotted-style hostnames --
starting at line 125. These two should be consistent. Dotted-style hostnames should
be allowed since I don't know of any security hole they would cause and they
used to be allowed. They are necessary when you know the 4-byte IP address but
not the DNS-style hostname string. We need this for Java NEO (Joe). We can workaround
it in many cases but may not have complete functionality.
BTW, dotted-style host addresses seem to work for URL's (in HotJava
for example) but I think this is because they get to bypass the security checks
around line 319 in AppletSecurity.java where it checks if the socket connection
request is being generated via sun.net.www.http.HttpClient.
NOTE: The actual release that we are working with is a November 13
snapshot of HotJava that falls somewhere between 1.0beta and 1.0beta2. We haven't
had a chance to verify this yet against 1.0beta2 since we are still changing some
of our sources to deal with recent language changes.