Skip to content

validate that we get the correct content-type from a AP request

dakkar requested to merge dakkar/Sharkey-thenautilus:fix/ssrf into develop

What does this PR do?

This mitigates the risks of server-side request forgery.

The idea: if we request a certain type, and the server returns a different type, we bail. So, whenever we expect JSON, if we get something that looks like JSON but the server says it isn't, trust the server! Even if the server is our own proxy…

I think this won't break anything that currently works… very few places pass an Accept header, and all those seem to need the protection.

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this pull request

Merge request reports