This repository was archived by the owner on Aug 28, 2024. It is now read-only.
This repository was archived by the owner on Aug 28, 2024. It is now read-only.
SafeURL doesn't filter private IPv6 addresses by default #1
Description
SafeURL explicitly codes in support for IPv6, but no IPv6 addresses are included in the default blacklist.
SafeURL.fetch("http://[::1]/secret")will connect to the loopback over IPv6 and return /secret's response.
Rather than add IPv6 addresses to the blacklist SafeURL should restrict itself to resolving IPv4 addresses for the reasons outlined in JordanMilne/Advocate#3. It's difficult to impossible to safely support IPv6 in a drop-in manner.