-
Fokkema authored
We were notified of an blind SSRF in this feature (#577). We carefully reviewed the current functionality, and decided that some details about the review of the given URL could be left out. We'll otherwise NOT remove this feature, as it's important to validate an LOVD's URL. However, some improvements have been made. - A sleep of half a second has been introduced in the upstream code. This makes abuse of the feature a bit harder. - Any details of whether or not the remote URL is accessible or not, has been removed. - Validation of the LOVD instance has improved (also upstream), and the correct base URL of the instance is returned. - Validation of the LOVD instance is now no longer a JS feature, but incorporated into the checkForm() which makes abusing the feature much harder as you *must* be logged in. As no sensitive information is shared, nor with the given URL, nor with the user who initiated the URL check, the request causes no harm and we can close the issue. Closes #577.
516b2afb