RSS Feed/News XF\Http\Reader should not allow .internal domains to be fetched from an untrusted context

Status
Not open for further replies.
ENXF NET

ENXF NET

Administrator
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P.S Member
S.V.I.P Member
V.I.P Member
Collaborate
Registered
Joined
Nov 13, 2018
Messages
25,956
Points
823

Reputation:

.INTERNAL is now reserved for private-use applications

XF\Http\Reader::isRequestableUntrustedUrlExtended should return false for domains which match .internal (maybe even internal), as this can be used for internal DNS resolution and should not be publicly available.

Similar logic probably should handle .example/.invalid/.test/.local/.localhost which are reserve top-level domains.

HCaptcha::isLocalDomain likely should...

Read more

Continue reading...
 
Status
Not open for further replies.
Top