current behavior is very insecure, this patch solves part of problem but not all
e.g. https://mysite.com/@abc@whatever/posts/123/ will create garbage data in database, which is a bit insecure, but the data is at least marked as connection_issue after some stator cycle. however, if attacker uses https://mysite.com/@abc@whatever@mysite.com/posts/123/ , the domain whatever@mysite.com in db will look valid (state=updated and local=False), which might be used to construct further attacks. this patch solves the latter issue by validate domain before saving to db. this patch also prevent localhost from used
a future patch IMHO should be implemented to protect against more cases.
Hmm, I'm not entirely sure about not allowing IP addresses as I think they're technically valid, but I agree we probably don't actually want them in reality.
current behavior is very insecure, this patch solves part of problem but not all
e.g. https://mysite.com/@abc@whatever/posts/123/ will create garbage data in database, which is a bit insecure, but the data is at least marked as
connection_issue
after some stator cycle. however, if attacker uses https://mysite.com/@abc@whatever@mysite.com/posts/123/ , the domainwhatever@mysite.com
in db will look valid (state=updated and local=False), which might be used to construct further attacks. this patch solves the latter issue by validate domain before saving to db. this patch also preventlocalhost
from useda future patch IMHO should be implemented to protect against more cases.