Описание
SafeURL-Python's hostname blocklist does not block FQDNs
Description
If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).
Impact
The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.
Patches
Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6
Credit
Пакеты
Наименование
SafeURL-Python
pip
Затронутые версииВерсия исправления
< 1.3
1.3