You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Daniel Watford (Jira)" <ji...@apache.org> on 2020/11/20 08:52:00 UTC
[jira] [Commented] (OFBIZ-11588) Have 'host-headers-allowed'
validation for all local headers
[ https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236002#comment-17236002 ]
Daniel Watford commented on OFBIZ-11588:
----------------------------------------
[~pierresmits] - As I understand it, 0.0.0.0 is a reserved address which might be used to match firewall rules or specify interfaces that a server should listen on. I couldn't see how it would end up in in the Host header of an incoming HTTP request.
Are there cases where 0.0.0.0 would be present in the Host header? If not then 0.0.0.0 should be removed from the host-headers-allowed property in security.properties.
Please let me know if I've misunderstood the intention behind accepting 0.0.0.0 as a Host header.
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL: https://issues.apache.org/jira/browse/OFBIZ-11588
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)