thanethomson
commented
1 year ago @tony-iqlusion, IIRC you needed HTTP proxy support, which drove the work in #820 right?
Closed mzabaluev closed 1 year ago
thanethomson
commented
1 year ago @tony-iqlusion, IIRC you needed HTTP proxy support, which drove the work in #820 right?
tony-iqlusion
commented
1 year ago Yes, though it seems hyper-proxy may be unmaintained, unfortunately.
romac
commented
1 year ago How bad is that vulnerability in practice? I would expect that people will use proxies that they know and trust, and worst case that their VM running Hermes coming to a halt in case the proxy server is compromised to not have major consequences but I could be wrong. So perhaps before removing code that might be helpful to some of our users, although I am always partial to deleting code and tidying up dependencies, we should (a) assess the actual severity of the vulnerability for our use case and (b) see if we can wait it out a bit and push for the community to move to a better maintained alternative. What do you think @mzabaluev @tony-iqlusion @thanethomson?
mzabaluev
commented
1 year ago @romac I have commented on the issue. Indeed the potential for exploiting this is quite limited. I've also started looking into implementing HTTP CONNECT transport on our own, which does not seem like a big thing to do (even though we need to set aside a day or two for this).
mzabaluev
commented
1 year ago Let's preserve the functionality and go with #1362 instead.
Closes #1342 by removing all use of hyper-proxy, and the HTTP proxy support in tendermint-rpc client which requires it.
.changelog/