mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-22 10:21:36 +03:00
6875796417
no issue It was possible for authenticated/trusted admin users to make GET requests to localhost via the oembed service by crafting a redirect that used 0.0.0.0. - added the 0.* default route/routing block to the private IP regex used to block requests when we're contacting external sites - added an additional IP or localhost check in the oembed service when fetching bookmark card data |
||
---|---|---|
.. | ||
common | ||
image | ||
mobiledoc.js | ||
request-external.js | ||
validate-password.js |