Skip to content
Snippets Groups Projects

validate that we get the correct content-type from a AP request

Closed validate that we get the correct content-type from a AP request
dakkar/Sharkey-thenautilus:fix/ssrf into develop
Closed dakkar requested to merge dakkar/Sharkey-thenautilus:fix/ssrf into develop

What does this PR do?

This mitigates the risks of server-side request forgery.

The idea: if we request a certain type, and the server returns a different type, we bail. So, whenever we expect JSON, if we get something that looks like JSON but the server says it isn't, trust the server! Even if the server is our own proxy…

I think this won't break anything that currently works… very few places pass an Accept header, and all those seem to need the protection.

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this pull request

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply