On Thu, Apr 30, 2015 at 2:57 PM, Scott Robison <sc...@casaderobison.com> wrote:
> On Thu, Apr 30, 2015 at 11:36 AM, Ron W <ronw.m...@gmail.com> wrote: > True, but I can see the utility of the request. If someone is looking for > an exploitable host, they probably haven't built a table of every host name > that maps to that address. They might have one host name, or more likely > they only have an IP address. > > In any case, if they are looking for a machine to exploit, and they > request a page from "http://1.2.3.4/"; instead of " > http://www.legitimate-domain.com/";, simply dropping the connection could > be an effective mitigation strategy. A typical 404 response might include > all the information the bad actor needs. Why make their job any easier? > Good point. Normally, I would say this is something for a "front end" webserver to handle. However, IF I were to implement such functionality directly in Fossil, I would do it by enhancing the existing multi-repository support. My thought would be to add a new setting to tell Fossil that, in case either no or an unknown repo is specified, to either display a default page, a specified page, or drop the connection. I think this would provide the desired effect with less potential for feature creep in Fossil.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
