Skip to content
  • Fokkema's avatar
    Complete rebuild of the URL validation on the system settings form. · 516b2afb
    Fokkema authored
    We were notified of an blind SSRF in this feature (#577). We carefully
    reviewed the current functionality, and decided that some details about
    the review of the given URL could be left out. We'll otherwise NOT
    remove this feature, as it's important to validate an LOVD's URL.
    However, some improvements have been made.
    
    - A sleep of half a second has been introduced in the upstream code.
    This makes abuse of the feature a bit harder.
    - Any details of whether or not the remote URL is accessible or not,
    has been removed.
    - Validation of the LOVD instance has improved (also upstream), and the
    correct base URL of the instance is returned.
    - Validation of the LOVD instance is now no longer a JS feature, but
    incorporated into the checkForm() which makes abusing the feature
    much harder as you *must* be logged in.
    
    As no sensitive information is shared, nor with the given URL, nor
    with the user who initiated the URL check, the request causes no harm
    and we can close the issue.
    
    Closes #577.
    516b2afb