TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-21 01:41:46 +03:00
Code Issues Projects Releases Wiki Activity
ff0b1a61b3
Ghost/core/server/lib
History
Kevin Ansfield 6875796417 Blocked 0.* IP addresses when making oembed requests 
no issue

It was possible for authenticated/trusted admin users to make GET requests to localhost via the oembed service by crafting a redirect that used 0.0.0.0.

- added the 0.* default route/routing block to the private IP regex used to block requests when we're contacting external sites
- added an additional IP or localhost check in the oembed service when fetching bookmark card data
2021-09-14 11:35:14 +01:00
..
common Moved settings/cache to shared/settings-cache 2021-06-30 15:49:10 +01:00
image Moved settings/cache to shared/settings-cache 2021-06-30 15:49:10 +01:00
mobiledoc.js Change to use @tryghost/logging 2021-06-15 15:59:11 +01:00
request-external.js Blocked 0.* IP addresses when making oembed requests 2021-09-14 11:35:14 +01:00
validate-password.js Moved settings/cache to shared/settings-cache 2021-06-30 15:49:10 +01:00