prevent http connections to localhost and private ips by default

Security fix!

* git-annex will refuse to download content from http servers on
  localhost, or any private IP addresses, to prevent accidental
  exposure of internal data. This can be overridden with the
  annex.security.allowed-http-addresses setting.
* Since curl's interface does not have a way to prevent it from accessing
  localhost or private IP addresses, curl defaults to not being used
  for url downloads, even if annex.web-options enabled it before.
  Only when annex.security.allowed-http-addresses=all will curl be used.

Since S3 and WebDav use the Manager, the same policies apply to them too.

youtube-dl is not handled yet, and a http proxy configuration can bypass
these checks too. Those cases are still TBD.

This commit was sponsored by Jeff Goeke-Smith on Patreon.

doc/git-annex.mdwn

@@ -1356,12 +1356,16 @@ Here are all the supported configuration settings.
 
 * `annex.web-options`
 
-  Setting this makes git-annex use curl to download urls
+  Options to pass to curl when git-annex uses it to download urls
   (rather than the default built-in url downloader).
 
   For example, to force IPv4 only, set it to "-4".
   Or to make curl use your ~/.netrc file, set it to "--netrc".
 
+  Setting this option makes git-annex use curl, but only
+  when annex.security.allowed-http-addresses is configured in a
+  specific way. See its documentation.
+
 * `annex.youtube-dl-options`
 
   Options to pass to youtube-dl when using it to find the url to download
@@ -1393,15 +1397,34 @@ Here are all the supported configuration settings.
   The default is "http https".
 
   Think very carefully before changing this; there are security
-  implications. For example, if it's changed to allow "file" URLs,
-  then anyone who can get a commit into your git-annex repository
-  could add a pointer to a private file located outside that repository, 
-  risking it being copied into the repository and transferred on to other
-  remotes, exposing its content.
+  implications. For example, if it's changed to allow "file" URLs, then
+  anyone who can get a commit into your git-annex repository could
+  `git-annex addurl` a pointer to a private file located outside that
+  repository, possibly causing it to be copied into your repository
+  and transferred on to other remotes, exposing its content.
 
   Some special remotes support their own domain-specific URL
   schemes; those are not affected by this configuration setting.
 
+* `annex.security.allowed-http-addresses`
+
+  By default, git-annex only makes HTTP connections to public IP addresses;
+  it will refuse to use HTTP servers on localhost or on a private network.
+
+  This setting can override that behavior, allowing access to particular
+  IP addresses. For example "127.0.0.1 ::1" allows access to localhost
+  (both IPV4 and IPV6). To allow access to all IP addresses, use "all"
+  
+  Think very carefully before changing this; there are security
+  implications. Anyone who can get a commit into your git-annex repository
+  could `git annex addurl` an url on a private http server, possibly
+  causing it to be downloaded into your repository transferred to
+  other remotes, exposing its content.
+
+  Note that, since curl's interface does not allow these IP address
+  restrictions to be enforced, any configuration that enables use of curl
+  will be ignored unless annex.security.allowed-http-addresses=all.
+
 * `annex.secure-erase-command`
 
   This can be set to a command that should be run whenever git-annex