original TODO for more flexible security.allowed-ip-addresses

2020-02-21 00:04:30 +00:00 · 2020-02-21 00:04:30 +00:00 · 00cbbe2789
commit 00cbbe2789
parent 02dd8ab0be
1 changed files with 5 additions and 0 deletions
--- a/doc/todo/Provide_a_way_to_white_list_local_networks_40not_just_specific_IPs41.mdwn
+++ b/doc/todo/Provide_a_way_to_white_list_local_networks_40not_just_specific_IPs41.mdwn
@ -0,0 +1,5 @@
+Original whining and use case [is buried in the comments to CVE fix announcement](https://git-annex.branchable.com/security/#comment-7d9435f13213b85896a3424c342c9a1f). In summary: `http_proxy` environment variable could point to some address within local network (e.g. `10.0.0.1/24`). `security.allowed-ip-addresses` (or older `annex.security.allowed-http-addresses`) seems to support only a whitespace separate list of addresses (too tedious to list for sizeable private networks) or "all" (too much) not support networks.  
+In case of `http_proxy` it would also be valuable to be able to limit to specific (e.g. privileged) port(s) (thus kicking back to `http` from a generic `ip`), to avoid opening access to some malicious user providing URLs on the same private network on some other port.  I think both address + port "wishlist" items are related thus filing in a single issue. 
+
+[[!meta author=yoh]]
+[[!tag projects/datalad]]