Bug XF\Http\Reader should not allow .internal domains to be fetched from an untrusted context

Thread starter Xon
Start date Aug 10, 2024

There is a bug in this version

Xon

Guest

Aug 10, 2024

.INTERNAL is now reserved for private-use applications

XF\Http\Reader::isRequestableUntrustedUrlExtended should return false for domains which match .internal (maybe even internal), as this can be used for internal DNS resolution and should not be publicly available.

Similar logic probably should handle .example/.invalid/.test/.local/.localhost which are reserve top-level domains.

HCaptcha::isLocalDomain likely should...

Read more

Continue reading...

You must log in or register to reply here.

Similar threads

Solved XF\Http\Reader should not allow .internal domains to be fetched from an untrusted context

Replies: 0

Views: 23

XenForo General Discussions Sep 3, 2024

Xon

XenForo Failed to open stream: No such file or directory src/XF/Http/Reader.php:444

Replies: 0

Views: 240

XenForo Development & Modifications Sep 15, 2023

Mr Lucky

Solved TypeError: array_merge(): Argument #1 must be of type array, bool given src/XF/Http/Reader.php:118

Replies: 0

Views: 480

XenForo General Discussions Oct 5, 2022

Kirby

Bug TypeError: array_merge(): Argument #1 must be of type array, bool given src/XF/Http/Reader.php:118

Replies: 0

Views: 495

XenForo General Discussions Sep 9, 2022

Kirby

Bug Must pass valid resource in src/XF/Http/ResponseStream.php:18

Replies: 0

Views: 34

XenForo General Discussions Jul 6, 2024

rkxh

Facebook X (Twitter) Reddit Pinterest WhatsApp Email Link

Top Bottom

Back

Welcome To The Geeks-Board!
For full use of the forum, you need to register. The registration will take only 1 minute and after that, you can enter and read topics. So don't hesitate and register now!
Log in Register
🔥 Hardware & Software Products
🔥 Android Devices Support
🔥 Web Development

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Search

Search

Bug XF\Http\Reader should not allow .internal domains to be fetched from an untrusted context

Xon

Guest

Similar threads