Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
default config: blacklist more internal ips #1198
Conversation
matrixbot
commented
Nov 7, 2016
|
Can one of the admins verify this patch? |
matrixbot
commented
Nov 7, 2016
|
Can one of the admins verify this patch? |
matrixbot
commented
Nov 7, 2016
|
Can one of the admins verify this patch? |
matrixbot
commented
Nov 7, 2016
|
Can one of the admins verify this patch? |
matrixbot
commented
Nov 7, 2016
|
Can one of the admins verify this patch? |
|
Thanks for doing your job so eagerly @matrixbot |
erikjohnston
changed the base branch from
master
to
develop
Nov 7, 2016
|
Thanks! |
erikjohnston
merged commit d24197b
into
matrix-org:develop
Nov 7, 2016
euank
deleted the
euank:more-ip-blacklist
branch
Nov 7, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
euank commentedNov 7, 2016
The server making requests to 169.254.169.254 is particularly scary because quite sensitive information can be stored there (e.g. the ec2 metadata service)
That being said, since none of those pages have a title, are html, or are media, the chance of it leading to any active information leak is pretty low, so I don't feel this is an actual vulnerability, just a more complete default setting.
For completeness I included another private ip range too that was missing