Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection problem with IPv6 addresses #1130

Closed
atimin opened this issue Jul 22, 2020 · 2 comments · Fixed by #1147
Closed

Connection problem with IPv6 addresses #1130

atimin opened this issue Jul 22, 2020 · 2 comments · Fixed by #1147

Comments

@atimin
Copy link

atimin commented Jul 22, 2020
edited by elhorton
Loading

Hello,
we are trying to use MQTT.js with IPv6 addresses but we can't connect an MQTT broker:

client = mqtt.connect('ws://[::1]:9001');

This code throws an exception:

 'WebSocket': The URL 'ws://::1:9001/' is invalid.

It seems the library skips []. I've checked this URL with another library. It works fine.

AB#8505545
@seriousme
Copy link
Contributor

Hi,

I did some digging and the problem seems to be in Nodejs url.parse used in lib/connect/index.js

url.parse('ws://[::1]:9001/',true)
Url {
  protocol: 'ws:',
  slashes: true,
  auth: null,
  host: '[::1]:9001',
  port: '9001',
  hostname: '::1',
  hash: null,
  search: null,
  query: [Object: null prototype] {},
  pathname: '/',
  path: '/',
  href: 'ws://[::1]:9001/'
}

as you can see the brackets are in the host but not in the hostname anymore.

Whereas the URL constructor works fine:

new URL('ws://[::1]:9001/')
URL {
  href: 'ws://[::1]:9001/',
  origin: 'ws://[::1]:9001',
  protocol: 'ws:',
  username: '',
  password: '',
  host: '[::1]:9001',
  hostname: '[::1]',
  port: '9001',
  pathname: '/',
  search: '',
  searchParams: URLSearchParams {},
  hash: ''
}

Node's documentation is quite clear on the subject:

Use of the legacy url.parse() method is discouraged. Users should use the WHATWG URL API. Because the url.parse() method 
uses a lenient, non-standard algorithm for parsing URL strings, security issues can be introduced. Specifically, issues with host 
name spoofing and incorrect handling of usernames and passwords have been identified.

An obvious fix seems to be to replace var parsed = url.parse(brokerUrl, true) by var parsed = new URL(brokerUrl) but I haven't tested it. There are a few more places where url.parse is used. So whoever is going to fix this might want to fix them too.

Kind regards,
Hans

@seriousme
Copy link
Contributor

It turned out to be a bit more work as the URL class is a bit special.

I got a version working (although CI fails on node 10 due to a unrelated problem) at https://github.com/seriousme/MQTT.js/tree/replace-url-parse-by-url-class

I can do a PR if you like.

Kind regards,
Hans

@seriousme seriousme mentioned this issue Aug 22, 2020
Merged
YoDaMa pushed a commit that referenced this issue Oct 6, 2020
@seriousme
fix: replace url.parse by WHATWG URL API (#1147)
70a247c 
fixes #1130
@Steve-Mcl Steve-Mcl mentioned this issue Jan 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace url parse by url class seriousme/MQTT.js
2 participants
@atimin @seriousme