-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a note about default filters potentially blocking #7157
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
However I'm still not sure if it was the best idea, to actually set a default set of filters, maybe it would've been better to have filters defined as []
and only change all templates.
Well on the other side people who are familiar with play, can actually just set play.http.filters
.
I think |
I agree with @PromanSEW |
AllowedHostsFilter is there because it protects against DNS rebinding attacks. See https://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/ for the attack. This is actually a real thing, and while Play doesn't execute runnables, there's still a fair bit you can do with DNS rebinding. See for example:
So the issue isn't "this isn't needed in most cases" because in general, most security features aren't needed in most cases. It's trivial for users to disable, but now it's something that has to be disabled explicitly, rather than added in. |
@schmitch see https://www.playframework.com/documentation/2.6.x/Migration26#Disabling-Default-Filters for how to disable the filters |
Thank you for these interesting articles @wsargent, I understand better. Would it not be wise to inform the documentation in a few lines of the rather important role of this protection? I think that knowingly, developers would be less discouraged when problems arise. |
@fmeriaux if you read the documentation on the AllowedHostsFilter page https://playframework.com/documentation/2.6.x/AllowedHostsFilter#Allowed-hosts-filter it says
I think that effectively communicates the role of the filter. |
With regards to #7154 there isn't an explicit warning that default filters may impact sites that are upgrading.
I'll make the logs more explicit as well, so a security failure results in a log with SECURITY marker.