You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker can put a DNS name into the X-Forwarded-For header and Ninja would do a DNS lookup of it.
The code responsible is in AbstractContext.getRemoteAddr:
// If ip4/6 address string handed over, simply does pattern validation.
InetAddress.getByName(forwardHeader);
So, contrary to the comment, getByName doesn't do a simple validation, but also does a DNS lookup if the provided value is not an IP address. This code is irrelevant and should be removed.
The text was updated successfully, but these errors were encountered:
An attacker can put a DNS name into the X-Forwarded-For header and Ninja would do a DNS lookup of it.
The code responsible is in
AbstractContext.getRemoteAddr:So, contrary to the comment,
getByNamedoesn't do a simple validation, but also does a DNS lookup if the provided value is not an IP address. This code is irrelevant and should be removed.The text was updated successfully, but these errors were encountered: