Skip to content

Commit

Permalink
rpc server: fix host filter for localhost on ipv6 (#6454)
Browse files Browse the repository at this point in the history
This PR fixes an issue that I discovered using connecting to the RPC via
localhost using cURL, where cURL tries to connect to via ipv6 before
ipv4 when querying `localhost` which messed up the http host filter
whereas it would connect to the address `[::1]::9944 host_header:
localhost:9944` but the ipv6 interface only whitelisted `[::1]:9944`
which this fixes.

So let's whitelist all localhost interfaces to avoid such weird
edge-cases.

### Behavior before this PR

```bash
$ polkadot --chain westend-dev &
$ curl -v \
     -H 'Content-Type: application/json' \
     -d '{"jsonrpc":"2.0","id":"id","method":"system_name"}' \
     http://localhost:9944
* Host localhost:9944 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9944...
* Connected to localhost (::1) port 9944
> POST / HTTP/1.1
> Host: localhost:9944
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 50
>
< HTTP/1.1 403 Forbidden
< content-type: text/plain
< content-length: 41
< date: Tue, 12 Nov 2024 13:03:49 GMT
<
Provided Host header is not whitelisted.
* Connection #0 to host localhost left intact
```

### Behavior after this PR
```bash
$ polkadot --chain westend-dev &
➜ wasm-tests (update-artifacts-1731284930) ✗ curl -v \
     -H 'Content-Type: application/json' \
     -d '{"jsonrpc":"2.0","id":"id","method":"system_name"}' \
     http://localhost:9944
* Host localhost:9944 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9944...
* Connected to localhost (::1) port 9944
> POST / HTTP/1.1
> Host: localhost:9944
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 50
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=utf-8
< vary: origin, access-control-request-method, access-control-request-headers
< content-length: 54
< date: Tue, 12 Nov 2024 13:02:57 GMT
<
* Connection #0 to host localhost left intact
{"jsonrpc":"2.0","id":"id","result":"Parity Polkadot"}%
```

---------

Co-authored-by: GitHub Action <action@github.com>
Co-authored-by: command-bot <>
  • Loading branch information
niklasad1 and actions-user authored Nov 12, 2024
1 parent 4c059c0 commit 0a0af0e
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 8 deletions.
7 changes: 7 additions & 0 deletions prdoc/pr_6454.prdoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
title: 'rpc server: fix ipv6 host filter for localhost'
doc:
- audience: Node Operator
description: "This PR fixes that ipv6 connections to localhost was faulty rejected by the host filter because only [::1] was allowed"
crates:
- name: sc-rpc-server
bump: minor
13 changes: 5 additions & 8 deletions substrate/client/rpc-servers/src/utils.rs
Original file line number Diff line number Diff line change
Expand Up @@ -193,14 +193,11 @@ pub(crate) fn host_filtering(enabled: bool, addr: SocketAddr) -> Option<HostFilt
if enabled {
// NOTE: The listening addresses are whitelisted by default.

let mut hosts = Vec::new();

if addr.is_ipv4() {
hosts.push(format!("localhost:{}", addr.port()));
hosts.push(format!("127.0.0.1:{}", addr.port()));
} else {
hosts.push(format!("[::1]:{}", addr.port()));
}
let hosts = [
format!("localhost:{}", addr.port()),
format!("127.0.0.1:{}", addr.port()),
format!("[::1]:{}", addr.port()),
];

Some(HostFilterLayer::new(hosts).expect("Valid hosts; qed"))
} else {
Expand Down

0 comments on commit 0a0af0e

Please sign in to comment.