majestrate
commented
6 years ago if it's binding to localname.tld:port it should instead set the r.expectedHost value to the right value instead of doing an dns lookup IMO.
Closed nwmcsween closed 6 years ago
majestrate
commented
6 years ago if it's binding to localname.tld:port it should instead set the r.expectedHost value to the right value instead of doing an dns lookup IMO.
majestrate
commented
6 years ago this code bypasses the protections i put in place to mitigate dns-rebinding attacks.
suggested reading: https://crypto.stanford.edu/dns/dns-rebinding.pdf
nwmcsween
commented
6 years ago Is there a safe way to resolve names (resolve only local ranges)? The current git using bind = hostname.tld:port resolves to 127.0.0.1 instead of the DHCP IP (192.168...) which won't work on a home network
majestrate
commented
6 years ago i added a new option host in the rpc section, use that to set the expected host
This fixed using a hostname in the bind configuration e.g.
bind = local.tld:port