From 4316d92b481718e524e17628caa1afa5d9f496a5 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Tue, 25 Feb 2020 14:38:55 -0400
Subject: [PATCH] comment

---
 ..._26d81cbc8732b65c2f0a86a33ef0f8fd._comment | 25 +++++++++++++++++++
 ..._64ffa9a560bf11ba22c715da0b4b1cfe._comment | 10 ++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_1_26d81cbc8732b65c2f0a86a33ef0f8fd._comment
 create mode 100644 doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_2_64ffa9a560bf11ba22c715da0b4b1cfe._comment

diff --git a/doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_1_26d81cbc8732b65c2f0a86a33ef0f8fd._comment b/doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_1_26d81cbc8732b65c2f0a86a33ef0f8fd._comment
new file mode 100644
index 0000000000..7e2910ec03
--- /dev/null
+++ b/doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_1_26d81cbc8732b65c2f0a86a33ef0f8fd._comment
@@ -0,0 +1,25 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-02-25T17:47:45Z"
+ content="""
+If the goal is just to allow the `http_proxy` to be used even though it
+points to a proxy on the local network, then it could be done
+with some "trustproxy" config, without needing to complicate
+annex.security.allowed-http-addresses.
+
+I am doubtful about the security of local http proxies though,
+in the threat model that git-annex needs to worry about. When
+`http_proxy` is set, urls get passed to it as-is; git-annex is not
+currently able to interpose any checking that the url is on an allowed
+IP address.
+
+(git-annex cannot send http://$ipaddr/ to the http proxy, 
+because the http server may require a specific hostname.
+And if git-annex only resolved the hostname and rejected ones on invalid
+IPs, then the http proxy would again resolve the hostname, and might
+see a different IP address than git-annex did.)
+
+So allowing a local http proxy seems just as insecure as
+annex.security.allowed-http-addresses=all.
+"""]]
diff --git a/doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_2_64ffa9a560bf11ba22c715da0b4b1cfe._comment b/doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_2_64ffa9a560bf11ba22c715da0b4b1cfe._comment
new file mode 100644
index 0000000000..7e304341cf
--- /dev/null
+++ b/doc/todo/Provide_a_way_to_white_list_local_networks___40__not_just_specific_IPs__41__/comment_2_64ffa9a560bf11ba22c715da0b4b1cfe._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2020-02-25T18:32:02Z"
+ content="""
+As to ports, it seems reasonable to support eg
+security.allowed-ip-addresses=127.0.0.1:80 to make sure that the massive
+electron app I have running on some random other port doesn't get abused
+to exfiltrate the contents of my $HOME. As a non-random example. :)
+"""]]