[
https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236002#comment-17236002
]
Daniel Watford commented on OFBIZ-11588:
----------------------------------------
[~pierresmits] - As I understand it, 0.0.0.0 is a reserved address which might
be used to match firewall rules or specify interfaces that a server should
listen on. I couldn't see how it would end up in in the Host header of an
incoming HTTP request.
Are there cases where 0.0.0.0 would be present in the Host header? If not then
0.0.0.0 should be removed from the host-headers-allowed property in
security.properties.
Please let me know if I've misunderstood the intention behind accepting 0.0.0.0
as a Host header.
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL: https://issues.apache.org/jira/browse/OFBIZ-11588
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
