Closed komuw closed 11 months ago
Patch coverage: 100.00%
and project coverage change: +0.09%
:tada:
Comparison is base (
a76d950
) 74.87% compared to head (f3b6c96
) 74.96%. Report is 2 commits behind head on main.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Previously if a malicious person sets
bad.com
to point to an IP that you own.but,
This is because the redirector middleware first checked if a request is http and redirected it to https at the good domain, without first checking if the incoming Host header has the wrong value.
This PR fixes that and we now first check that the Host header has the right value, before moving on to https redirection. This does not fix all the issues, but it should suffice. See the comment that was added in the code.
Fixes: https://github.com/komuw/ong/issues/337