nrepl listens to remote connections from all interfaces by default

[erno]

At clojure-emacs/cider#2482 it was said that nrepl by default binds to "::", the IPv6 equivalent of 0.0.0.0, which is a security problem absent authentication since anyone from the internet can connect and execute code. Indeed the current code at https://github.com/nrepl/nREPL/blob/2dda589d5d8b1f8e299d532a303371cc3654d5ce/src/clojure/nrepl/server.clj#L108 seems to work this way.

[bbatsov]

The open question from the CIDER issue remains - what should be the default? Seems if we bind to localhost we can't have both ipv4 and ipv6 clients connect to the server and this causes issues for some users. I'm open to suggestions.

[erno]

I think this is a fundamental limitation of the socket api. You need to have the code changed to handle multiple concurrent listening sockets if you want to listen to both IPv4 localhost and IPv6 localhost. Just sticking to IPv4 localhost is fine until then. You can spell it as 127.0.0.1 if the concern is that someone may have "::1" as the "localhost" entry in their /etc/hosts.

[bbatsov]

@SevereOverfl0w @arrdem Any thoughts on this?

[bbatsov]

Some more details here https://docs.oracle.com/javase/8/docs/technotes/guides/net/ipv6_guide/index.html

[erno]

Yes, like the Java docs note (mirroring the C socket API), the "::" address is a special case in that it can accept both v4 and v6 connections. For historical context: this was an early compatibility hack in the IPv6 socket API design so that typical socket server apps could support dual-stack operation (as simultaenous v6 + v4 compatbility was called) with minium changes, continuin with a single listening socket.

[bbatsov]

Got it. Well, it makes sense to me to change this back to localhost (or 127.0.0.1) and just improve the docs.

Ideally we can switch our server model to feature two sockets if someone is willing to work on this. //cc @hanshuebner