- User Since
- Mar 23 2015, 1:23 PM (292 w, 11 h)
Mar 26 2015
I see a minor problem (non security related) with the handling of HTTP redirects. Depending on the exact HTTP code (ex: 303 vs 307), a POST request may need to be converted to GET when redirected: https://tools.ietf.org/html/rfc7231#section-6.4.7
I didn't went through a thorough analysis of the proposed patch, but the global analysis and some specific portions (like DNS rebinding) seem fine. How did you deal with HTTP redirects?
Mar 25 2015
This library may help: https://github.com/fin1te/safecurl
Mar 23 2015
The DNS result will be cached... depending on its TTL. Setting the TTL to 0 is enough to get a fresh request for each resolution.
The protection can be bypassed using HTTP redirects (untested) and DNS re-binding. Cf the HackerOne ticket for details https://hackerone.com/reports/53088