[
https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236737#comment-17236737 ]
Jacques Le Roux commented on OFBIZ-11588:
-----------------------------------------
As I asked in my 1st comment:
bq. Should we not care about security when using 0.0.0.0 (I gave few links as examples)? When is it really needed instead of localhost or 127.0.0.1?
I got no valid answer from Pierre.
Let me say it crudly: I see no irmprovement with this PR. I see no security issues in host-headers-allowed as it's OOTB. So I see no reason to apply this PR and yes we should close both the Jira issue and the PR. :)
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11588> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
