Odd behaviour with WCF base addresses and HTTP.SYS wildcards

13 Mar 2008 21:30 wcf

I’m at DevWeek this week, and I went (among other things) to a couple of WCF presentations by Aaron Skonnard.

So, anyway, last night I put together a really simple WCF service. It looks like this:

using System;
using System.ServiceModel;

namespace WcfHost
{
    [ServiceContract]
    internal interface IHello
    {
        [OperationContract]
        string SayHello();
    }

    internal class HelloService : IHello
    {
        public string SayHello()
        {
            return "Hello";
        }
    }

    class Program
    {
        static void Main()
        {
            ServiceHost host = new ServiceHost(typeof(HelloService), new Uri("http://+:8010/"));
            host.AddServiceEndpoint(typeof(IHello), new BasicHttpBinding(), "Hello");
            host.Open();
            Console.WriteLine("Ready. Press Enter to quit.");
            Console.ReadLine();
            host.Close();
        }
    }
}

Note how I’m using the HTTP.SYS wildcard syntax for the URI. Unfortunately, WCF doesn’t like that, and I get a UriFormatException: Invalid URI: The hostname could not be parsed.

So I change it to http://localhost:8080/, and instead I get another exception: HTTP could not register URL http://+:8080/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).

It’s not lying: I don’t have access rights to the HTTP namespace (I run Windows Vista with UAC turned off, under a normal user account). Most things work fine. Occasionally I have to step out to the Administrator account for some stuff. In this case, that would be a netsh http add urlacl url=http://+:8080/ user=HOME\roger.

That’s not what’s bothering me.

What’s bothering me is that WCF appears to have quietly translated my localhost to +, meaning that even though I’ve asked only to bind to 127.0.0.1, I’ve actually bound to all available addresses.

Surely this increases the attack surface for my WCF host? Or am I missing something?