merge-system Literal "localhost" or "127.0.0.1" in URL settings for avatars and attachments modules

Literal "localhost" or "127.0.0.1" in URL settings for avatars and attachments modules

Open yuliu opened this issue 3 years ago • 0 comments

Literal "localhost" or "127.0.0.1" in URL settings for avatars and attachments modules will prevent themselves from running. Hosts in URLs should be checked for such subjects, rather than in arbitrary path strings.

avatars: https://github.com/mybb/merge-system/blob/d453ec2b922a088cfa41a81753c37b7f038ecb77/resources/modules/avatars.php#L149 https://github.com/mybb/merge-system/blob/d453ec2b922a088cfa41a81753c37b7f038ecb77/resources/modules/avatars.php#L155
attachments: https://github.com/mybb/merge-system/blob/d453ec2b922a088cfa41a81753c37b7f038ecb77/resources/modules/attachments.php#L192 https://github.com/mybb/merge-system/blob/d453ec2b922a088cfa41a81753c37b7f038ecb77/resources/modules/attachments.php#L198

Aug 22 '20 12:08 yuliu

merge-system merge-system copied to clipboard

Literal "localhost" or "127.0.0.1" in URL settings for avatars and attachments modules

merge-system
merge-system copied to clipboard