Page MenuHomePhabricator

Agarri_FR (Nicolas Grégoire)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Mar 23 2015, 1:23 PM (292 w, 11 h)
Availability
Available

Recent Activity

Mar 26 2015

Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.

I see a minor problem (non security related) with the handling of HTTP redirects. Depending on the exact HTTP code (ex: 303 vs 307), a POST request may need to be converted to GET when redirected: https://tools.ietf.org/html/rfc7231#section-6.4.7

Mar 26 2015, 8:18 PM · Security
Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.

I didn't went through a thorough analysis of the proposed patch, but the global analysis and some specific portions (like DNS rebinding) seem fine. How did you deal with HTTP redirects?

Mar 26 2015, 6:43 PM · Security

Mar 25 2015

Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.

This library may help: https://github.com/fin1te/safecurl

Mar 25 2015, 10:08 AM · Security

Mar 23 2015

Agarri_FR added a comment to T6755: Allow more granular configuration of `security.allow-outbound-http`.

The DNS result will be cached... depending on its TTL. Setting the TTL to 0 is enough to get a fresh request for each resolution.

Mar 23 2015, 6:43 PM · Security
Agarri_FR added a comment to D12136: Improve granluarity and defaults of `security.allow-outbound-http`.

The protection can be bypassed using HTTP redirects (untested) and DNS re-binding. Cf the HackerOne ticket for details https://hackerone.com/reports/53088

Mar 23 2015, 5:47 PM