diff options
| author | Matt Holt <[email protected]> | 2023-08-02 11:13:52 -0600 |
|---|---|---|
| committer | GitHub <[email protected]> | 2023-08-02 11:13:52 -0600 |
| commit | f66493efef4d909fdeb68a2ce8131d58e17333b3 (patch) | |
| tree | 708db84035c22ba9c676293ad3b965d6b7c8bc4e /admin.go | |
| parent | 5c51c1db2ce450a3fa003834097ad010b3844673 (diff) | |
| download | caddy-f66493efef4d909fdeb68a2ce8131d58e17333b3.tar.gz caddy-f66493efef4d909fdeb68a2ce8131d58e17333b3.zip | |
core: Allow loopback hosts for admin endpoint (fix #5650) (#5664)
Diffstat (limited to 'admin.go')
| -rw-r--r-- | admin.go | 25 |
1 files changed, 25 insertions, 0 deletions
@@ -318,7 +318,32 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL { // messages. If the requested URI does not include an Internet host // name for the service being requested, then the Host header field MUST // be given with an empty value." + // + // UPDATE July 2023: Go broke this by patching a minor security bug in 1.20.6. + // Understandable, but frustrating. See: + // https://github.com/golang/go/issues/60374 + // See also the discussion here: + // https://github.com/golang/go/issues/61431 + // + // We can no longer conform to RFC 2616 Section 14.26 from either Go or curl + // in purity. (Curl allowed no host between 7.40 and 7.50, but now requires a + // bogus host; see https://superuser.com/a/925610.) If we disable Host/Origin + // security checks, the infosec community assures me that it is secure to do + // so, because: + // 1) Browsers do not allow access to unix sockets + // 2) DNS is irrelevant to unix sockets + // + // I am not quite ready to trust either of those external factors, so instead + // of disabling Host/Origin checks, we now allow specific Host values when + // accessing the admin endpoint over unix sockets. I definitely don't trust + // DNS (e.g. I don't trust 'localhost' to always resolve to the local host), + // and IP shouldn't even be used, but if it is for some reason, I think we can + // at least be reasonably assured that 127.0.0.1 and ::1 route to the local + // machine, meaning that a hypothetical browser origin would have to be on the + // local machine as well. uniqueOrigins[""] = struct{}{} + uniqueOrigins["127.0.0.1"] = struct{}{} + uniqueOrigins["::1"] = struct{}{} } else { uniqueOrigins[net.JoinHostPort("localhost", addr.port())] = struct{}{} uniqueOrigins[net.JoinHostPort("::1", addr.port())] = struct{}{} |