Commits on Oct 10, 2023

1. limit TitleExtractor to allow only Remark42 whitelisted domains …

   Allowed domains consist of `REMARK_URL` second-level domain (or whole IP in case it's IP like `127.0.0.1`) and `ALLOWED_HOSTS`. That is needed to prevent Remark42 from asking arbitrary servers and storing the page title as the comment.PostTitle.
   
   Previous behaviour allowed the caller of the API to create a comment
   with an arbitrary URL and learn the title of the page, which might be
   accessible to the server Remark42 is installed on but not to the user
   outside that network (CWE-918).

   

   paskal committed Oct 10, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for a5c4e68
   • Browse repository at this point

   Copy the full SHA

   a5c4e68 View commit details

   Browse the repository at this point in the history

2. limit TitleExtractor to allow only Remark42 whitelisted domains …

   Allowed domains consist of `REMARK_URL` second-level domain (or whole IP in case it's IP like `127.0.0.1`) and `ALLOWED_HOSTS`. That is needed to prevent Remark42 from asking arbitrary servers and storing the page title as the comment.PostTitle.
   
   Previous behaviour allowed the caller of the API to create a comment
   with an arbitrary URL and learn the title of the page, which might be
   accessible to the server Remark42 is installed on but not to the user
   outside that network (CWE-918).

   

   paskal committed Oct 10, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for f0071ae
   • Browse repository at this point

   Copy the full SHA

   f0071ae View commit details

   Browse the repository at this point in the history