作者: | 来源:互联网 | 2023-10-10 12:52
Explanation
I'm a big fan of services like Cloudflare but I've noticed the way Flarum handles avatars allows anybody to leak the server IP.
When registering or updating your user settings, you can pass an
attribute that will be downloaded and set as avatar.
This looks deliberate, however this allows any user to ask the server to perform a request to any given url.
Maybe this should be limited to admins or controlled via a permission ?
Technical details
- Version of Flarum: master
Both
1
| Flarum\User\Command\RegisterUserHandler |
and
1
| Flarum\User\Command\EditUserHandler |
allow the use of
without restrictions.
该提问来源于开源项目:flarum/core
I like what proposed. Make the whitelist empty by default and allow extensions (specifically the Oauth ones) and/or admins to add approved hosts.
Another option would be to only allow the avatarurl attribute to be used in the context of Oauth signup.