Bug #54083 WB documentation HTTP port is open to the world
Submitted: 29 May 2010 6:25 Modified: 11 Jun 2010 10:21
Reporter: Hartmut Holzgraefe Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Workbench Severity:S3 (Non-critical)
Version:WB 5.2.21 OS:Linux
Assigned to: Alfredo Kojima CPU Architecture:Any

[29 May 2010 6:25] Hartmut Holzgraefe 
Description:
The http server thread started by workbench to provide documentation to the local web browser listens on all IP interfaces even though it is only intended for local use.

How to repeat:
* click "MySQL Doc Library" in "Workbench Central" on the "Home" tab
* a HTTP server thread is spawned which listens to port 8811
$ run "netstat -lnt | grep 8811" to see that the HTTP server thread listens to the world, not just the "localhost" interface on 127.0.0.1

  tcp        0      0 0.0.0.0:8811            0.0.0.0:*               LISTEN

Suggested fix:
It is sufficient to listen to the "localhost" interface as the local documentation URL passed on to the local browser is "http://localhost:8811"

=== modified file 'plugins/wb.doclib/mysqldoclib.py'
--- plugins/wb.doclib/mysqldoclib.py	2010-05-27 21:44:35 +0000
+++ plugins/wb.doclib/mysqldoclib.py	2010-05-28 21:48:51 +0000
@@ -802,7 +802,7 @@
       # Connect to the database
       db_conn = open_lib_db()
       try:
-        server = HTTPServer(('', port), DocsLibHandler)
+        server = HTTPServer(('localhost', port), DocsLibHandler)
         server.verbose = verbose
         server.db_conn = db_conn
[29 May 2010 10:02] Hartmut Holzgraefe 
provide interface binding as optional feature in mysqldoclib.py
and request localhost binding in wb_doclib_grt.py, so that 
standalone functionality is not changed:

=== modified file 'plugins/wb.doclib/mysqldoclib.py'
--- plugins/wb.doclib/mysqldoclib.py	2010-05-27 21:44:35 +0000
+++ plugins/wb.doclib/mysqldoclib.py	2010-05-29 09:33:49 +0000
@@ -794,7 +794,7 @@
   def log_error(self, message, *args):
     verbose_print(self.server.verbose, message % args)
 
-def serve_docs(port = 8080, verbose = 1, datadir= "./", ready_event=None):
+def serve_docs(port = 8080, verbose = 1, datadir= "./", ready_event=None, bind=''):
   global global_app_data_dir
   global_app_data_dir = datadir
   try:
@@ -802,7 +802,7 @@
       # Connect to the database
       db_conn = open_lib_db()
       try:
-        server = HTTPServer(('', port), DocsLibHandler)
+        server = HTTPServer((bind, port), DocsLibHandler)
         server.verbose = verbose
         server.db_conn = db_conn
         
=== modified file 'plugins/wb.doclib/wb_doclib_grt.py'
--- plugins/wb.doclib/wb_doclib_grt.py	2010-05-27 21:44:35 +0000
+++ plugins/wb.doclib/wb_doclib_grt.py	2010-05-29 09:59:35 +0000
@@ -60,7 +60,7 @@
 
 def run_server(datadir, server_port, ready_event):
     import mysqldoclib
-    mysqldoclib.serve_docs(server_port, datadir=datadir, ready_event=ready_event)
+    mysqldoclib.serve_docs(server_port, bind='localhost', datadir=datadir, ready_event=ready_event)
[31 May 2010 13:34] MySQL Verification Team 
Thank you for the bug report.
[2 Jun 2010 12:11] Alfredo Kojima 
Patch applied, thanks for it.
[9 Jun 2010 13:00] Johannes Taxacher 
fix confirmed in repository. doc-pages-http server is now started only on localhost
[11 Jun 2010 10:21] Tony Bedford 
An entry has been added to the 5.2.23 changelog:

The HTTP server thread started by MySQL Workbench to provide documentation to the local web browser listened on all IP interfaces, even though it was only intended for local use.