Skip to content
This repository has been archived by the owner on Jul 24, 2023. It is now read-only.

Avoid SSRF for claimed_id request #121

Merged
merged 1 commit into from
Jun 26, 2019

Commits on Apr 16, 2019

  1. Avoid SSRF for claimed_id request

    `verify_discovery_results` sends a request to openid.claimed_id URL.
    Anybody can change claimed_id URL but request still will be sent. 
    For example, sending a request to the internal network or localhost:
    https://myserver/callback?_method=post&openid.claimed_id=http://localhost:3000/do_method.....
    
    I think, we must check signature before use any data from the URL
    faberge-eggs authored Apr 16, 2019
    Configuration menu
    Copy the full SHA
    8a4c31a View commit details
    Browse the repository at this point in the history