XF\Http\Reader should not allow .internal domains to be fetched from an untrusted context

.INTERNAL is now reserved for private-use applications

XF\Http\Reader::isRequestableUntrustedUrlExtended should return false for domains which match .internal (maybe even internal), as this can be used for internal DNS resolution and should not be publicly available.

Similar logic probably should handle .example/.invalid/.test/.local/.localhost which are reserve top-level domains.

HCaptcha::isLocalDomain likely should...

Read more

Читать далее...
 
Активность
Пока что здесь никого нет
Назад
Верх Низ