diff options
author | Joey Hess <joeyh@joeyh.name> | 2018-06-18 13:32:20 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2018-06-18 13:32:20 -0400 |
commit | cc08135e659d3ca9ea157246433d8aa90de3baf7 (patch) | |
tree | b2245e3e93494d3a44282831cf10059f175f5c39 /NEWS | |
parent | 8703fdd3b75c1b249fe9143f23d1128390f391cc (diff) |
prevent using local http proxies per annex.security.allowed-http-addresses
A local http proxy would bypass the security configuration. So,
the security configuration has to be applied when choosing whether to
use the proxy.
While http rebinding attacks against the dns lookup of the proxy IP
address seem very unlikely, this implementation does prevent them, since
it resolves the IP address once, checks it, and then reconfigures
http-client's proxy using the resolved address.
This commit was sponsored by Ole-Morten Duesund on Patreon.
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -5,8 +5,8 @@ git-annex (6.20180622) upstream; urgency=high using annex.security.allowed-url-schemes. A related security fix prevents git-annex from connecting to http - servers on localhost or private networks. This can be overridden, - at your own risk, using annex.security.allowed-http-addresses. + servers (and proxies) on localhost or private networks. This can + be overridden, at your own risk, using annex.security.allowed-http-addresses. Setting annex.web-options no longer is enough to make curl be used, and youtube-dl is also no longer used by default. See the |