mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 09:42:02 +08:00
SECURITY: Consider 0.0.0.0
a private IP
This commit is contained in:
parent
9fff53407c
commit
236243f38a
|
@ -293,6 +293,7 @@ class FinalDestination
|
|||
|
||||
def self.standard_private_ranges
|
||||
@private_ranges ||= [
|
||||
IPAddr.new('0.0.0.0/8'),
|
||||
IPAddr.new('127.0.0.1'),
|
||||
IPAddr.new('172.16.0.0/12'),
|
||||
IPAddr.new('192.168.0.0/16'),
|
||||
|
|
|
@ -337,6 +337,11 @@ describe FinalDestination do
|
|||
expect(fd("https://104.25.153.10").is_dest_valid?).to eq(true)
|
||||
end
|
||||
|
||||
it "returns false for short ip" do
|
||||
expect(FinalDestination.new('https://0/logo.png').is_dest_valid?).to eq(false)
|
||||
expect(FinalDestination.new('https://1/logo.png').is_dest_valid?).to eq(false)
|
||||
end
|
||||
|
||||
it "returns false for private ipv4" do
|
||||
expect(fd("https://127.0.0.1").is_dest_valid?).to eq(false)
|
||||
expect(fd("https://192.168.1.3").is_dest_valid?).to eq(false)
|
||||
|
|
Loading…
Reference in New Issue
Block a user