This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

default config: blacklist more internal ips #1198

Merged

erikjohnston merged 1 commit into matrix-org:develop from euank:more-ip-blacklist

Nov 7, 2016

Contributor

euank commented Nov 7, 2016

The server making requests to 169.254.169.254 is particularly scary because quite sensitive information can be stored there (e.g. the ec2 metadata service)

That being said, since none of those pages have a title, are html, or are media, the chance of it leading to any active information leak is pretty low, so I don't feel this is an actual vulnerability, just a more complete default setting.
For completeness I included another private ip range too that was missing


          default config: blacklist more internal ips

c6bbad1

Member

matrixbot commented Nov 7, 2016

Can one of the admins verify this patch?

4 similar comments

Member

matrixbot commented Nov 7, 2016

Can one of the admins verify this patch?

Member

matrixbot commented Nov 7, 2016

Can one of the admins verify this patch?

Member

matrixbot commented Nov 7, 2016

Can one of the admins verify this patch?

Member

matrixbot commented Nov 7, 2016

Can one of the admins verify this patch?

Contributor Author

euank commented Nov 7, 2016

Thanks for doing your job so eagerly @matrixbot ❤️

erikjohnston changed the base branch from master to develop

November 7, 2016 09:37

Member

erikjohnston commented Nov 7, 2016

Thanks!

erikjohnston merged commit d24197b into matrix-org:develop

euank deleted the more-ip-blacklist branch

November 7, 2016 09:59

richvdh mentioned this pull request

Default to the blacklisting reserved IP ranges. #8870

Merged

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet