[RESOLVED] Redirect triggers LOCAL rule

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: [RESOLVED] Redirect triggers LOCAL rule

Re: [RESOLVED] Redirect triggers LOCAL rule

by Tom T. » Fri May 18, 2012 11:55 pm

@ GµårÐïåñ:

I've never had that issue, so whatever it is, it appears to be unrelated to this thread. But as was done here, check your DNS configuration, try other DNSs, etc., and if there is a discrepancy, then you can get it fixed as was done here.


@siu:

You're quite welcome, and some good came out of it: DNS "stupidity" corrected. Isn't it good that Giorgio has enough pull to get through where most of us couldn't? ;)


@ Giorgio: :
Should ABE automail DNS tech contacts?

Apparently. :D

I'm glad that it wasn't the things I suggested in PM - DNS hack, cache poisoning, ARP poisoning, etc. ... but OTOH, if it were, would the DNS Admin or bottlepy Admin admit it? Can't imagine deliberately or even accidentally registering a local link address with a DNS. Just wondering ...

Thanks for your help in seeing this through to full resolution.

Re: [RESOLVED] Redirect triggers LOCAL rule

by GµårÐïåñ » Fri May 18, 2012 9:17 pm

How is this resolved exactly? Just wondering because the case I wrote Giorgio in private about was forums.informaction.com triggering LOCAL and it still does it, mostly on redirects but sometimes on just Ctrl+Click of a link to open in a new tab, sometimes just straight up click, so I am not sure what's going on but I think we are glossing over this way too quickly. Just saying. I tried to resolve this in private with Giorgio LONG before a bunch of posts about this and that showed up on the site but no resolution and now that its gone public, I would personally like to know the why, not just, oh I assume this is the problem. I mean for 15 years my DNS has been fine, suddenly my DHCP/DNS is f-ed up? Seriously? Not buying that.

EDIT: Apparently while I was posting this Giorgio was posting his reply, so my reply was pre Giorgio reply you see below/above depending on how you have your posts sorted.

Re: [RESOLVED] Redirect triggers LOCAL rule

by Giorgio Maone » Fri May 18, 2012 8:49 pm

Mystery solved, indeed:
bottlepy wrote: @ma1 @dakami The http://bottlepy.org fe80:/10 AAAA thing was just stupidity on my part :)
Giogio Maone wrote: @bottlepy @dakami @davidsinuela 10x for solving this mystery. http://wm161.net same issue? Should ABE automail DNS tech contacts?

Re: redirect and chrome://browser/content/browser/browser.xu

by siu » Fri May 18, 2012 9:51 am

I would say this issue is solved, we've been discussing in private and this is what we've found:

The output of this command:

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) { alert(r.toSource())} )
is:

Code: Select all

({ts:1337158919407, entries:["173.214.207.14", "fe80::226:b9ff:fe53:ebd3"], expireTime:1337158979407})
Of those, the first IP address is a valid IPv4 address but the second is a IPv6 link-local address (as of the standard: http://en.wikipedia.org/wiki/Private_network#IPv6). Indeed the AAAA DNS record for that domain looks like this:

Code: Select all

 ; <<>> DiG 9.3.2 <<>> @8.8.8.8 bottlepy.org AAAA
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48086
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;bottlepy.org.			IN	AAAA
 
 ;; ANSWER SECTION:
 bottlepy.org.		82690	IN	AAAA	fe80::226:b9ff:fe53:ebd3
 
 ;; Query time: 8 msec
 ;; SERVER: 8.8.8.8#53(8.8.8.8)
 ;; WHEN: Fri May 18 11:15:11 2012
 ;; MSG SIZE  rcvd: 58
Which should not be used on the internet and is triggering the LOCAL rule of the ABE.

Related topic: http://forums.informaction.com/viewtopi ... =23&t=8729

Thanks a lot to Giorgio Maone and Tom T. for the support.

Re: redirect and chrome://browser/content/browser/browser.xu

by Tom T. » Sat May 12, 2012 10:01 am

siu wrote:. So you think that it resolves to a local IP, and I'm beginning to think that bottlepy.org is probably hosted in a university in Germany, and I'm having this issue only when I visit the site from either a university (in Spain) or a public organization (in France).
It seems to be a strange combination of hosting in the US, with DNS servers in Germany.
IP address: 173.214.207.14
Host name: bottlepy.org

173.214.207.14 is from United States(US) in region North America

TraceRoute to 173.214.207.14 [bottlepy.org]
<snip>
11 25 25 25 173.214.207.14 unknown.carohosting.net


Retrieving DNS records for bottlepy.org...

DNS servers
ns2.hans.hosteurope.de [80.237.128.10]
ns1.hans.hosteurope.de

Answer records
bottlepy.org NS ns1.hans.hosteurope.de 259200s
bottlepy.org NS ns2.hans.hosteurope.de 259200s

bottlepy.org SOA server: ns1.hans.hosteurope.de 86400s


Results returned from whois.arin.net:
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=173.2 ... xt=netref2
#

Carolina Internet, Ltd. CARO-NET-ARIN-7 (NET-173-214-192-0-1) 173.214.192.0 - 173.214.207.255
CaroNet Managed Hosting, Inc. CI-173-214-204-0-22 (NET-173-214-204-0-1) 173.214.204.0 - 173.214.207.255

OrgName: CaroNet Managed Hosting, Inc.
OrgId: CIL-56
Address: 900 Center Park Dr
Address: Suite A
City: Charlotte
State: NC (North Carolina -- you know, the State where John Edwards used to be a Senator. :D )
PostalCode: 28217
Country: US
I don't see why visiting it from a public organization in France would cause it to point to your LAN, unless your LAN includes those French and Spanish sites.
See PM for a bit more.

I could be mistaken, but I think Giorgio was suggesting that it was something in the DNS configuration: on the machines configured one way, it doesn't happen, but on those configured another way, it does. Try experimenting with a different DNS server? (OpenDNS, etc.)

Re: redirect and chrome://browser/content/browser/browser.xu

by siu » Sat May 12, 2012 8:52 am

Giorgio Maone wrote:Unfortunately your analysis, albeit suggestive, is incorrect.

Current relevant code is:

Code: Select all

 return (addr.indexOf("2002:") === 0
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) 
where the check for the address beginning with "2002:" is just a performance optimization to use the relatively slower recursive call after converting IPv6 to IPv4 only if the address can be converted (i.e. is a IPv4 address represented as an IPv6 one, identified by the "2002:" prefix).

Otherwise (i.e. if the address does not begin with "2002:", it is checked against the this._localIPRx regular expression, which BTW correctly matches IPv6 addresses starting with the "fe80:" prefix.
Ok, I wasn't sure about this part.
Giorgio Maone wrote: Furthermore, it is not your local IP which is checked by isLocalIP(), but the origin and the destination of the HTTP request (i.e. the site containing the link and the destination of the link): if the origin is found to be non-local but the destination is a lan IP, the rule is triggered.
Yes, it is indeed failing when checking the destinationIP.
Giorgio Maone wrote: Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource())) 
I will perform this test at work on Monday where I see this issue. So you think that it resolves to a local IP, and I'm beginning to think that bottlepy.org is probably hosted in a university in Germany, and I'm having this issue only when I visit the site from either a university (in Spain) or a public organization (in France).

Re: redirect and chrome://browser/content/browser/browser.xu

by Giorgio Maone » Sat May 12, 2012 6:43 am

Tom T. wrote: If indeed "the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP", then why wouldn't you and I be able to reproduce?
Because of a difference in ours and his DNS configuration, for instance.

Re: redirect and chrome://browser/content/browser/browser.xu

by Tom T. » Sat May 12, 2012 1:18 am

Giorgio Maone wrote:... Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource())) 
I get

Code: Select all

Error: missing ; before statement
Source File: javascript:%20Timestamp:%2(local date/time)%20PM%20Error:%20attempt%20to%20run%20compile-and-go%20script%20on%20a%20cleared%20scope%20Source%20File:%20chrome://noscript/content/DNS.js%20Line:%20238
Line: 1, Column: 22
Source Code:
 Timestamp: (local date/time) PM Error: attempt to run compile-and-go script on a cleared scope Source File: chrome://noscript/content/DNS.js Line: 238
So far, the problem has occurred only on *nix systems, and not on my 32-bit Win, or (apparently) your 64-bit Win with full IPV6 support (I don't have that on this older machine.)
If indeed "the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP", then why wouldn't you and I be able to reproduce it?

Re: redirect and chrome://browser/content/browser/browser.xu

by Giorgio Maone » Fri May 11, 2012 8:50 pm

Unfortunately your analysis, albeit suggestive, is incorrect.

Current relevant code is:

Code: Select all

 return (addr.indexOf("2002:") === 0
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) 
where the check for the address beginning with "2002:" is just a performance optimization to use the relatively slower recursive call after converting IPv6 to IPv4 only if the address can be converted (i.e. is a IPv4 address represented as an IPv6 one, identified by the "2002:" prefix).

Otherwise (i.e. if the address does not begin with "2002:", it is checked against the this._localIPRx regular expression, which BTW correctly matches IPv6 addresses starting with the "fe80:" prefix.

Furthermore, it is not your local IP which is checked by isLocalIP(), but the origin and the destination of the HTTP request (i.e. the site containing the link and the destination of the link): if the origin is found to be non-local but the destination is a lan IP, the rule is triggered.

Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource())) 

Re: redirect and chrome://browser/content/browser/browser.xu

by dhouwn » Fri May 11, 2012 5:47 pm

Very nice analysis!
siu wrote:Is it there a bugtracker where to post and discuss about this?
Sadly, no. This here is basically the bug tracker.

Re: redirect and chrome://browser/content/browser/browser.xu

by siu » Fri May 11, 2012 5:37 pm

I've spent a few hours debugging and I could finally find out why the LOCAL rule was being applied.
I think the issue is in the parsing of IPv6 addresses in DNS.js. IPv6 is enabled in my pc and that makes the function DNSRecord.isLocal() iterate over all the possible addresses, i.e. the IPv4 and the IPv6 address. That's ok. But then the DNS.isLocalIP(addr) fails to detect the IPv6 address as IPv6 because in this specific case it starts with "fe80:" but it is searching only for "2002:". I think that the regexp on the top of that function can be applied to IPv6 as but it seems that it doesn't work in this case.

I could fix it by replacing the comparison

Code: Select all

addr.indexOf("2002:") === 0
by

Code: Select all

addr.indexOf(":") != -1
, as in:

Code: Select all

  _localIPRx: /^(?:(?:0|127|10|169\.254|172\.(?:1[6-9]|2\d|3[0-1])|192\.168)\..*\.[^0]\d*$|(?:(?:255\.)3255|::1?)$|f(?:[cd]|e(?:[c-f]|80:))[0-9a-f]*:)/i,
  isLocalIP: function(addr) {

    // see https://bug354493.bugzilla.mozilla.org/attachment.cgi?id=329492 for a more verbose but incomplete (missing IPV6 ULA) implementation
    // Relevant RFCs linked at http://en.wikipedia.org/wiki/Private_network
    return (addr.indexOf(":") != -1
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) ||
      this.localExtras && this.localExtras.testIP(addr) ||
      WAN.ipMatcher && WAN.ipMatcher.testIP(addr);
  },
It is probably not the best way to fix it but at least it removes this false positive.

Is it there a bugtracker where to post and discuss about this?

Re: redirect and chrome://browser/content/browser/browser.xu

by siu » Fri May 11, 2012 9:44 am

Thanks for your answer, let's try to find where is the error.
Tom T. wrote: Unable to reproduce on Win XP, Fx 12.0, NS 2.4.1rc3, even after multiple page reloads resulting from allowing the disqus script and its related items in Blocked Objects menu -- and that's with the additional ABE NAT-pinning rule discussed here.
Notice that I don't even get to that point, I only see an empty page with the ABE warning on the top.
Tom T. wrote: Have you added any ABE rules beyond the default SYSTEM rule?
No, I've never touched the ABE rules.
Tom T. wrote:
I've tried with a freshly created FF profile and it is still happening.
Try a freshly-created profile with a fresh install of NS, and *no* other add-ons, to eliminate the possibility that the problematic system has an extension conflict.
This is exactly what I've done, I created a new profile and installed NoScript 2.4.1 from mozilla addons.
Tom T. wrote:If you have access to other systems, or if anyone else can reproduce on, say, Mac, etc., please advise.
I've been able to reproduce it on two other systems:

- CentOS, FF 12.0 downloaded from the official website
- Red Hat EL, using FF 10.0 distributed with the system

Once again I tested with new profiles where I've only installed NoScript 2.4.1.

It also happens when I search for that URL in google and I follow the link but in this case the warning instead of chrome://... shows what looks like the referrer URL.

Re: redirect and chrome://browser/content/browser/browser.xu

by Tom T. » Fri May 11, 2012 8:36 am

siu wrote:When accessing http://bottlepy.org I get this error message from the ABE:

Code: Select all

Request {GET http://bottlepy.org/docs/dev/ <<< http://bottlepy.org/, chrome://browser/content/browser.xul - 6} filtered by ABE: <LOCAL> Deny
Unable to reproduce on Win XP, Fx 12.0, NS 2.4.1rc3, even after multiple page reloads resulting from allowing the disqus script and its related items in Blocked Objects menu -- and that's with the additional ABE NAT-pinning rule discussed here.

Have you added any ABE rules beyond the default SYSTEM rule?
siu wrote:I've tried on two different computers, one running ubuntu / FF 12.0 / NoScript 2.4 and I can't reproduce it, on the contrary on another pc running archlinux / FF 12.0 / NoScript 2.4 I'm having this issue.
Wouldn't that point to an issue in archlinux? -- as you don't get it in Ubuntu, and I don't get it in Windows?
I've tried with a freshly created FF profile and it is still happening.
Try a freshly-created profile with a fresh install of NS, and *no* other add-ons, to eliminate the possibility that the problematic system has an extension conflict.
.... something I should report to bottlepy.org?
Not at this time. So far, it's pointing to something in that Linux distro, or as mentioned, an extension conflict in that particular profile.

If you have access to other systems, or if anyone else can reproduce on, say, Mac, etc., please advise.

[RESOLVED] Redirect triggers LOCAL rule

by siu » Fri May 11, 2012 8:09 am

When accessing http://bottlepy.org I get this error message from the ABE:

Code: Select all

Request {GET http://bottlepy.org/docs/dev/ <<< http://bottlepy.org/, chrome://browser/content/browser.xul - 6} filtered by ABE: <LOCAL> Deny
I've tried on two different computers, one running ubuntu / FF 12.0 / NoScript 2.4 and I can't reproduce it, on the contrary on another pc running archlinux / FF 12.0 / NoScript 2.4 I'm having this issue. I've tried with a freshly created FF profile and it is still happening.

I've noticed that bottlepy.org is returning a redirect in the headers but there is no content on the page and I guess this makes Firefox render chrome://browser/content/browser.xul.

Do you think it is a problem in my system, a bug in FF/NoScript or something I should report to bottlepy.org?

Top