andrewgodwin
commented
6 months ago Hmm, I'm not entirely sure about not allowing IP addresses as I think they're technically valid, but I agree we probably don't actually want them in reality.
Closed alphatownsman closed 6 months ago
andrewgodwin
commented
6 months ago Hmm, I'm not entirely sure about not allowing IP addresses as I think they're technically valid, but I agree we probably don't actually want them in reality.
current behavior is very insecure, this patch solves part of problem but not all
e.g. https://mysite.com/@abc@whatever/posts/123/ will create garbage data in database, which is a bit insecure, but the data is at least marked as
connection_issueafter some stator cycle. however, if attacker uses https://mysite.com/@abc@whatever@mysite.com/posts/123/ , the domainwhatever@mysite.comin db will look valid (state=updated and local=False), which might be used to construct further attacks. this patch solves the latter issue by validate domain before saving to db. this patch also preventlocalhostfrom useda future patch IMHO should be implemented to protect against more cases.