I see a minor problem (non security related) with the handling of HTTP redirects. Depending on the exact HTTP code (ex: 303 vs 307), a POST request may need to be converted to GET when redirected: https://tools.ietf.org/html/rfc7231#section-6.4.7
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Mar 26 2015
Mar 26 2015
Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.
Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.
I didn't went through a thorough analysis of the proposed patch, but the global analysis and some specific portions (like DNS rebinding) seem fine. How did you deal with HTTP redirects?
Mar 25 2015
Mar 25 2015
Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.
This library may help: https://github.com/fin1te/safecurl
Mar 23 2015
Mar 23 2015
Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.
The DNS result will be cached... depending on its TTL. Setting the TTL to 0 is enough to get a fresh request for each resolution.
Agarri_FR added a comment to D12136: Improve granluarity and defaults of `security.allow-outbound-http`.
The protection can be bypassed using HTTP redirects (untested) and DNS re-binding. Cf the HackerOne ticket for details https://hackerone.com/reports/53088