sabi0 commented on issue #12964: URL: https://github.com/apache/lucene/issues/12964#issuecomment-1868103845
My assumption was wrong. When the permission has port 0 the remote port number is validated against the local system's "ephemeral port range": ``` if (policyLow == 0 && policyHigh == 0) { // ephemeral range only return targetLow >= ephemeralLow && targetHigh <= ephemeralHigh; } ``` The [range itself](https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/net/SocketPermission.java#L244) is defined by `jdk.net.ephemeralPortRange.low` / `jdk.net.ephemeralPortRange.high` system properties. And when those are not set the range defaults to 49152 - 65535: https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/net/SocketPermission.java#L1228 So on my system this prints "false": ``` SocketPermission policy = new SocketPermission("127.0.0.1:0", "accept,listen"); SocketPermission request = new SocketPermission("127.0.0.1:20022", "accept"); System.out.println(policy.implies(request)); ``` and this prints "true": ``` SocketPermission policy = new SocketPermission("127.0.0.1:0", "accept,listen"); SocketPermission request = new SocketPermission("127.0.0.1:50123", "accept"); System.out.println(policy.implies(request)); ``` Probably the "ephemeral port range" in the network stack and in the SocketPermission are somehow out of sync? I found this snippet in `DNSDatagramSocketFactory.open()` javadoc: > if binding a socket to port 0 binds it to a random port) then the underlying OS implementation is used. Otherwise, this method will allocate and bind a socket on a randomly selected ephemeral port in the dynamic range. So when OS allocates a random port it does not necessarily fall in the JVM's ephemeral port range? This does not break `127.0.0.1:0/listen` because the permission is checked before binding (when the actual port number is still not known). But `127.0.0.1:0/accept` is out of luck. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org