From 9cf990501cd14703fe50f0e59fdd66f9be330959 Mon Sep 17 00:00:00 2001 From: m3ch_mania <2357245-m3ch_mania@users.noreply.gitlab.com> Date: Sat, 18 Jul 2020 04:07:53 +0000 Subject: [PATCH] Addresses issue #66 The client will now fail on startup if either port is on the restricted ports list. --- src/main/kotlin/mdnet/base/Constants.kt | 74 +++++++++++++++++++++++++ src/main/kotlin/mdnet/base/Main.kt | 3 + 2 files changed, 77 insertions(+) diff --git a/src/main/kotlin/mdnet/base/Constants.kt b/src/main/kotlin/mdnet/base/Constants.kt index 53293fe..4160745 100644 --- a/src/main/kotlin/mdnet/base/Constants.kt +++ b/src/main/kotlin/mdnet/base/Constants.kt @@ -26,4 +26,78 @@ object Constants { const val MAX_READ_TIME_SECONDS = 300 const val MAX_WRITE_TIME_SECONDS = 60 + + // General list of ports to which Firefox and Chromium will not send HTTP requests for security reasons + // See: + // * https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/net/base/port_util.cc + // * https://developer.mozilla.org/en-US/docs/Mozilla/Mozilla_Port_Blocking#Blocked_Ports + @JvmField val RESTRICTED_PORTS = intArrayOf( + 1, // tcpmux + 7, // echo + 9, // discard + 11, // systat + 13, // daytime + 15, // netstat + 17, // qotd + 19, // chargen + 20, // ftp data + 21, // ftp access + 22, // ssh + 23, // telnet + 25, // smtp + 37, // time + 42, // name + 43, // nicname + 53, // domain + 77, // priv-rjs + 79, // finger + 87, // ttylink + 95, // supdup + 101, // hostriame + 102, // iso-tsap + 103, // gppitnp + 104, // acr-nema + 109, // pop2 + 110, // pop3 + 111, // sunrpc + 113, // auth + 115, // sftp + 117, // uucp-path + 119, // nntp + 123, // NTP + 135, // loc-srv /epmap + 139, // netbios + 143, // imap2 + 179, // BGP + 389, // ldap + 427, // SLP (Also used by Apple Filing Protocol) + 465, // smtp+ssl + 512, // print / exec + 513, // login + 514, // shell + 515, // printer + 526, // tempo + 530, // courier + 531, // chat + 532, // netnews + 540, // uucp + 548, // AFP (Apple Filing Protocol) + 556, // remotefs + 563, // nntp+ssl + 587, // smtp (rfc6409) + 601, // syslog-conn (rfc3195) + 636, // ldap+ssl + 993, // ldap+ssl + 995, // pop3+ssl + 2049, // nfs + 3659, // apple-sasl / PasswordServer + 4045, // lockd + 6000, // X11 + 6665, // Alternate IRC [Apple addition] + 6666, // Alternate IRC [Apple addition] + 6667, // Standard IRC [Apple addition] + 6668, // Alternate IRC [Apple addition] + 6669, // Alternate IRC [Apple addition] + 6697 // IRC + TLS + ) } diff --git a/src/main/kotlin/mdnet/base/Main.kt b/src/main/kotlin/mdnet/base/Main.kt index 9c1af90..1879682 100644 --- a/src/main/kotlin/mdnet/base/Main.kt +++ b/src/main/kotlin/mdnet/base/Main.kt @@ -109,6 +109,9 @@ object Main { if (settings.clientPort == 0) { dieWithError("Config Error: Invalid port number") } + if (settings.clientPort in Constants.RESTRICTED_PORTS) { + dieWithError("Config Error: Unsafe port number") + } if (settings.maxCacheSizeInMebibytes < 1024) { dieWithError("Config Error: Invalid max cache size, must be >= 1024 MiB (1GiB)") }