Time to use AF_UNIX

Posted Aug 9, 2024 15:40 UTC (Fri) by quotemstr (subscriber, #45331)
In reply to: Time to use AF_UNIX by leromarinvit
Parent article: 0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)

It's really no different from putting a web app under non-root path using regular HTTP. For example, http://myhost.example.com/~foo/bar versus http://myhost.example.com/~bar/qux. Using the GP's suggestion, we'd just make the host portion of the URL empty and interpret empty as localhost. (You'd write http:///var/run/user/1000/blah.sock or something.) This approach lets us also talk about unix sockets on other hosts if we ever want to do that, e.g. http://some-machine/var/run/user/1000/blah.sock.