Skip to content
This repository has been archived by the owner on Aug 28, 2024. It is now read-only.

SafeURL doesn't filter private IPv6 addresses by default #1

Open
JordanMilne opened this issue Oct 24, 2016 · 0 comments · May be fixed by #2
Open

SafeURL doesn't filter private IPv6 addresses by default #1

JordanMilne opened this issue Oct 24, 2016 · 0 comments · May be fixed by #2

Comments

@JordanMilne
Copy link

SafeURL explicitly codes in support for IPv6, but no IPv6 addresses are included in the default blacklist.

SafeURL.fetch("http://[::1]/secret")

will connect to the loopback over IPv6 and return /secret's response.

Rather than add IPv6 addresses to the blacklist SafeURL should restrict itself to resolving IPv4 addresses for the reasons outlined in JordanMilne/Advocate#3. It's difficult to impossible to safely support IPv6 in a drop-in manner.
@JordanMilne JordanMilne linked a pull request Oct 27, 2016 that will close this issue
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Filter IPv6 addresses by default JordanMilne/safeurl-scala
1 participant
@JordanMilne