prevent using local http proxies per annex.security.allowed-http-addresses

A local http proxy would bypass the security configuration. So, the security configuration has to be applied when choosing whether to use the proxy. While http rebinding attacks against the dns lookup of the proxy IP address seem very unlikely, this implementation does prevent them, since it resolves the IP address once, checks it, and then reconfigures http-client's proxy using the resolved address. This commit was sponsored by Ole-Morten Duesund on Patreon.
author: Joey Hess <joeyh@joeyh.name> 2018-06-18 13:32:20 -0400
committer: Joey Hess <joeyh@joeyh.name> 2018-06-18 13:32:20 -0400
commit: cc08135e659d3ca9ea157246433d8aa90de3baf7 (patch)
tree: b2245e3e93494d3a44282831cf10059f175f5c39 /NEWS
parent: 8703fdd3b75c1b249fe9143f23d1128390f391cc (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 24672be5a1..f09009dbb0 100644
--- a/NEWS
+++ b/NEWS
@@ -5,8 +5,8 @@ git-annex (6.20180622) upstream; urgency=high
   using annex.security.allowed-url-schemes.
 
   A related security fix prevents git-annex from connecting to http
-  servers on localhost or private networks. This can be overridden,
-  at your own risk, using annex.security.allowed-http-addresses.
+  servers (and proxies) on localhost or private networks. This can
+  be overridden, at your own risk, using annex.security.allowed-http-addresses.
   
   Setting annex.web-options no longer is enough to make curl be used,
   and youtube-dl is also no longer used by default. See the
author	Joey Hess <joeyh@joeyh.name>	2018-06-18 13:32:20 -0400
committer	Joey Hess <joeyh@joeyh.name>	2018-06-18 13:32:20 -0400
commit	cc08135e659d3ca9ea157246433d8aa90de3baf7 (patch)
tree	b2245e3e93494d3a44282831cf10059f175f5c39 /NEWS
parent	8703fdd3b75c1b249fe9143f23d1128390f391cc (diff)