Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1902

Further limit HTTP fetching security from Openfire

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.4.2
    • Fix Version/s: 4.5.0
    • Component/s: Core
    • Labels:
      None

      Description

      https://github.com/igniterealtime/Openfire/pull/1497#issuecomment-538382149

      Having pondered, I worry that even if we're not displaying it, the admin console will happily fetch any file off any HTTP server it has access to. If it were me, I'd probably lean towards changing the way this works such that the servlet
      (a) Only fetches favicon's from S2S connected servers, and
      (b) Only fetches the favicon

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gdt Greg Thomas
              Reporter:
              akrherz Daryl Herzmann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: