Skip to content
This repository was archived by the owner on Aug 28, 2024. It is now read-only.
This repository was archived by the owner on Aug 28, 2024. It is now read-only.

SafeURL doesn't filter private IPv6 addresses by default #1

Open
#2
Open
SafeURL doesn't filter private IPv6 addresses by default#1
#2
@JordanMilne

Description

@JordanMilne
JordanMilne
opened on Oct 24, 2016

SafeURL explicitly codes in support for IPv6, but no IPv6 addresses are included in the default blacklist.

SafeURL.fetch("http://[::1]/secret")

will connect to the loopback over IPv6 and return /secret's response.

Rather than add IPv6 addresses to the blacklist SafeURL should restrict itself to resolving IPv4 addresses for the reasons outlined in JordanMilne/Advocate#3. It's difficult to impossible to safely support IPv6 in a drop-in manner.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions