ghost

13787 commits 234 branches 1694 tags 532 MiB

Author	SHA1	Message	Date
Kevin Ansfield	6875796417	Blocked 0.* IP addresses when making oembed requests no issue It was possible for authenticated/trusted admin users to make GET requests to localhost via the oembed service by crafting a redirect that used 0.0.0.0. - added the 0.* default route/routing block to the private IP regex used to block requests when we're contacting external sites - added an additional IP or localhost check in the oembed service when fetching bookmark card data	2021-09-14 11:35:14 +01:00

Author

SHA1

Message

Date

Kevin Ansfield

6875796417

Blocked 0.* IP addresses when making oembed requests

no issue

It was possible for authenticated/trusted admin users to make GET requests to localhost via the oembed service by crafting a redirect that used 0.0.0.0.

- added the 0.* default route/routing block to the private IP regex used to block requests when we're contacting external sites
- added an additional IP or localhost check in the oembed service when fetching bookmark card data

2021-09-14 11:35:14 +01:00

Renamed from test/unit/lib/external-request.test.js (Browse further)

1 commit