The default value security.http.urls used most notably in resources.GetRemote allows all URLs.
This was reported as a "security vulnerability". After reviewing it against our security model, we consider this to be in the security scope of what's trusted
This model assumes that template and configuration authors, the developers, are trustworthy. However, the data supplied to these templates is inherently considered untrusted
One could argue that the URLs could get passed in as data, but that sounds like a uncommon setup where the site creator should be extra alert (and e.g. tighten the security settings). Also, for that data to be a security risk, the trusted templates would have to do something insecure for it to become a issue.
But we do agree with the reporter that the defaults could be hardened to find one or more regexps that excludes private/loopback IP ranges.
The default value security.http.urls used most notably in resources.GetRemote allows all URLs.
This was reported as a "security vulnerability". After reviewing it against our security model, we consider this to be in the security scope of what's trusted
One could argue that the URLs could get passed in as data, but that sounds like a uncommon setup where the site creator should be extra alert (and e.g. tighten the security settings). Also, for that data to be a security risk, the trusted templates would have to do something insecure for it to become a issue.
But we do agree with the reporter that the defaults could be hardened to find one or more regexps that excludes private/loopback IP ranges.