[
https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236688#comment-17236688 ]
Daniel Watford commented on OFBIZ-11588:
----------------------------------------
Hi [~jleroux]
We would want to apply this PR since it satisfies the improvement requested by the ticket.... with the following caveats.
I'm not sure this is a valid improvement, hence my question to Pierre about the intention of using 0.0.0.0 in the host-headers-allowed property. If this is not a valid improvement then we should close OFBIZ-11588 and the PR.
If this is a valid improvement then we should apply the PR as long as doing so doesn't break the demo environments. In your previous comment I'm not sure if you are telling me that applying the PR wouldn't break the demo environments, or just that no changes for the demo environments have been proposed and may still be needed.
I came to this ticket and PR by looking though the open PRs on github to see what I could test and review. This seemed like a good candidate to try and progress since the changes were quite small, potentially a quick win for reducing our open PR count.
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11588> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
